Congressional 
Research  Service 

Informing  the  legislative  debate  since  1914 


Cybersecurity:  Authoritative  Reports  and 
Resources,  by  Topic 


Rita  Tehan 

Information  Research  Specialist 
February  19,  2014 


Congressional  Research  Service 

7-5700 

www.crs.gov 

R42507 


CRS  REPORT 

Prepared  for  Members  and 
Committees  of  Congress  — 


Report  Documentation  Page 

Form  Approved 

OMB  No.  0704-0188 

Public  reporting  burden  for  the  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and 
maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information, 
including  suggestions  for  reducing  this  burden,  to  Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite  1204,  Arlington 

VA  22202-4302.  Respondents  should  be  aware  that  notwithstanding  any  other  provision  of  law,  no  person  shall  be  subject  to  a  penalty  for  failing  to  comply  with  a  collection  of  information  if  it 
does  not  display  a  currently  valid  OMB  control  number. 

1.  REPORT  DATE 

19  FEB  2014  2- REPORT  TYPE 

3.  DATES  COVERED 

00-00-2014  to  00-00-2014 

4.  TITLE  AND  SUBTITLE 

Cybersecurity:  Authoritative  Reports  and  Resources,  by  Topic 

5a.  CONTRACT  NUMBER 

5b.  GRANT  NUMBER 

5c.  PROGRAM  ELEMENT  NUMBER 

6.  AUTHOR(S) 

5d.  PROJECT  NUMBER 

5e.  TASK  NUMBER 

5f.  WORK  UNIT  NUMBER 

7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

Congressional  Research  Service„The  Library  of  Congress  ,101 
Independence  Ave,  SE„ Washington, DC, 20540 

8.  PERFORMING  ORGANIZATION 

REPORT  NUMBER 

9.  SPONSORING/MONITORING  AGENCY  NAME(S)  AND  ADDRESS(ES) 

10.  SPONSOR/MONITOR'S  ACRONYM(S) 

11.  SPONSOR/MONITOR'S  REPORT 
NUMBER(S) 

12.  DISTRIBUTION/AVAILABILITY  STATEMENT 

Approved  for  public  release;  distribution  unlimited 

13.  SUPPLEMENTARY  NOTES 

14.  ABSTRACT 

15.  SUBJECT  TERMS 

16.  SECURITY  CLASSIFICATION  OF:  17.  LIMITATION  OF 

_ _ _  ABSTRACT 

18.  NUMBER  19a.  NAME  OF 

OF  PAGES  RESPONSIBLE  PERSON 

a.  REPORT  b.  ABSTRACT  c.  THIS  PAGE  Same  OS 

unclassified  unclassified  unclassified  Report  (SAR) 

88 

Standard  Form  298  (Rev.  8-98) 

Prescribed  by  ANSI  Std  Z39-18 


Cybersecurity:  Authoritative  Reports  and  Resources,  by  Topic 


Summary 

This  report  provides  references  to  analytical  reports  on  cybersecurity  from  CRS,  other 
government  agencies,  trade  associations,  and  interest  groups.  The  reports  and  related  websites  are 
grouped  under  the  following  cybersecurity  topics: 

•  policy  overview 

•  National  Strategy  for  Trusted  Identities  in  Cyberspace  (NSTIC) 

•  cloud  computing  and  FedRAMP 

•  critical  infrastructure 

•  cybercrime,  data  breaches  and  data  security 

•  national  security,  cyber  espionage,  and  cyberwar  (including  Stuxnet) 

•  international  efforts 

•  education/training/workforce 

•  research  and  development  (R&D) 

In  addition,  the  report  lists  selected  cybersecurity-related  websites  for  congressional  and 
government  agencies,  news,  international  organizations,  and  organizations  or  institutions. 
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CRS  Reports,  by  Topic1 

This  section  provides  references  to  analytical  reports  on  cybersecurity  from  CRS,  other 
government  agencies,  think  tanks,  trade  associations,  trade  press,  and  technology  research  firms. 
For  each  topic,  CRS  reports  are  listed  first,  followed  by  tables  with  reports  from  other 
organizations. 

CRS  Reports  and  Other  CRS  Products:  Cybersecurity  Policy 

•  CRS  Report  R421 14,  Federal  Laws  Relating  to  Cybersecurity:  Overview  and 
Discussion  of  Proposed  Revisions,  by  Eric  A.  Fischer 

•  CRS  Report  R41941,  The  Obama  Administration  s  Cybersecurity  Proposal: 

Criminal  Provisions,  by  Gina  Stevens 

•  CRS  Report  R42984,  The  2013  Cybersecurity  Executive  Order:  Overview  and 
Considerations  for  Congress,  by  Eric  A.  Fischer  et  al. 

•  CRS  Report  R40150,  A  Federal  Chief  Technology  Officer  in  the  Obama 
Administration:  Options  and  Issues  for  Consideration,  by  John  F.  Sargent  Jr. 

•  CRS  Report  R42409,  Cybersecurity:  Selected  Legal  Issues,  by  Edward  C.  Liu  et 
al. 

•  CRS  Report  R42887,  Overview  and  Issues  for  Implementation  of  the  Federal 
Cloud  Computing  Initiative:  Implications  for  Federal  Information  Technology 
Reform  Management ,  by  Eric  A.  Fischer  and  Patricia  Moloney  Figliola 

•  CRS  Report  R43015,  Cloud  Computing:  Constitutional  and  Statutory  Privacy 
Protections,  by  Richard  M.  Thompson  11 

•  CRS  Legal  Sidebar,  House  Intelligence  Committee  Marks  Up  Cybersecurity  Bill 
CISPA,  Richard  M.  Thompson  11 

•  CRS  Legal  Sidebar,  Can  the  President  Deal  with  Cybersecurity  Issues  via 
Executive  Order?,  Vivian  S.  Chu 


1  For  information  on  legislation  and  hearings  in  the  1 12th-123th  Congresses,  and  Executive  Orders  and  Presidential 
Directives,  see  CRS  Report  R433 1 7,  Cybersecurity:  Legislation,  Hearings,  and  Executive  Branch  Documents,  by  Rita 
Tehan. 
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Table  I .  Cybersecurity  Overview 


Title 

Source 

Date 

Pages 

Notes 

Defending  an  Open,  Global,  Secure,  and 
Resilient  Internet 

Council  on  Foreign  Relations 

June  20 1 3 

127 

The  Task  Force  recommends  that  the  United  States 
develop  a  digital  policy  framework  based  on  four  pillars, 
the  last  of  which  is  that  U.S.-based  industry  work  rapidly 
to  establish  an  industry-led  approach  to  counter  current 
and  future  cyberattacks. 

Measuring  What  Matters:  Reducing  Risk  by 
Rethinking  How  We  Evaluate  Cybersecurity 

Safegov.org,  in  coordination 
with  the  National  Academy  of 
Public  Administration 

March  2013 

39 

Report  recommends  that  rather  than  periodically 
auditing  whether  an  agency's  systems  meet  the  standards 
enumerated  in  Federal  Information  Security  Management 
Act  (FISMA)  at  a  static  moment  in  time,  agencies  and 
their  inspectors  general  should  keep  running  scorecards 
of  “cyber  risk  indicators"  based  on  continual  IG 
assessments  of  a  federal  organization's  cyber 
vulnerabilities. 

Developing  a  Framework  To  Improve  Critical 
Infrastructure  Cybersecurity  ( Federal  Register 
Notice;  Request  for  Information) 

National  Institute  of  Standards 
and  Technology  (NIST) 

February  12,  2013 

5 

NIST  announced  the  first  step  in  the  development  of  a 
Cybersecurity  Framework,  which  will  be  a  set  of 
voluntary  standards  and  best  practices  to  guide  industry 
in  reducing  cyber  risks  to  the  networks  and  computers 
that  are  vital  to  the  nation’s  economy,  security,  and  daily 
life. 

SEI  Emerging  Technology  Center;  Cyber 
Intelligence  Tradecraft  Project 

Carnegie  Mellon  University 

January  20 1 3 

23 

This  report  addresses  the  endemic  problem  of  functional 
cyber  intelligence  analysts  not  effectively  communicating 
with  non-technical  audiences.  It  also  notes  organizations’ 
reluctance  to  share  information  within  their  own  entities, 
industries,  and  across  economic  sectors. 

The  National  Cyber  Security  Framework 

Manual 

NATO  Cooperative  Cyber 
Defense  Center  of  Excellence 

December  1  1 ,  20 1 2 

253 

Provides  detailed  background  information  and  in-depth 
theoretical  frameworks  to  help  the  reader  understand 
the  various  facets  of  National  Cyber  Security,  according 
to  different  levels  of  public  policy  formulation.  The  four 
levels  of  government — political,  strategic,  operational  and 
tactical/technical — each  have  their  own  perspectives  on 
National  Cyber  Security,  and  each  is  addressed  in 
individual  sections  within  the  Manual. 

CRS-2 


Title 

Source 

Date 

Pages 

Notes 

20  Critical  Security  Controls  for  Effective 

Cyber  Defense 

Center  for  Strategic  & 
International  Studies 

November  20 1 2 

89 

The  top  20  security  controls  from  a  public-private 
consortium.  Members  of  the  Consortium  include  NSA, 

US  CERT,  DOD  JTF-GNO,  the  Department  of  Energy 
Nuclear  Laboratories,  Department  of  State,  DOD  Cyber 
Crime  Center  plus  commercial  forensics  experts  in  the 
banking  and  critical  infrastructure  communities. 

Cyber  Security  Task  Force:  Public-Private 
Information  Sharing 

Bipartisan  Policy  Center 

July  2012 

24 

Outlines  a  series  of  proposals  that  would  enhance 
information  sharing.  The  recommendations  have  two 
major  components:  (1)  mitigation  of  perceived  legal 
impediments  to  information  sharing,  and  (2)  incentivizing 
private  sector  information  sharing  by  alleviating  statutory 
and  regulatory  obstacles. 

Cyber-security:  The  Vexed  Question  of  Global 
Rules:  An  Independent  Report  on  Cyber- 
Preparedness  Around  the  World 

McAfee  and  the  Security 
Defense  Agenda 

February  2012 

108 

The  report  examines  the  current  state  of  cyber¬ 
preparedness  around  the  world,  and  is  based  on  survey 
results  from  80  policy-makers  and  cybersecurity  experts 
in  the  government,  business,  and  academic  sectors  from 

27  countries.  The  countries  were  ranked  on  their  state 
of  cyber-preparedness. 

Mission  Critical:  A  Public-Private  Strategy  for 
Effective  Cybersecurity 

Business  Roundtable 

October  1  1,  201  1 

28 

Report  suggests,  “[pjublic  policy  solutions  must 
recognize  the  absolute  importance  of  leveraging  policy 
foundations  that  support  effective  global  risk 
management,  in  contrast  to  “check-the-box”  compliance 
approaches  that  can  undermine  security  and 
cooperation.”  The  document  concludes  with  specific 
policy  proposals  and  activity  commitments. 

World  Cybersecurity  Technology  Research 
Summit  (Belfast  2011) 

Centre  for  Secure  Information 
Technologies  (CSIT) 

September  1 2,  20 1  1 

14 

The  Belfast  201  1  event  attracted  international  cyber 
security  experts  from  leading  research  institutes, 
government  bodies,  and  industry  who  gathered  to 
discuss  current  cyber  security  threats,  predict  future 
threats  and  the  necessary  mitigation  techniques,  and  to 
develop  a  collective  strategy  for  next  research. 
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Title 

Source 

Date 

Pages 

Notes 

A  Review  of  Frequently  Used  Cyber  Analogies 

National  Security  Cyberspace 
Institute 

July  22,  2011 

7 

From  the  report,  “The  current  cybersecurity  crisis  can 
be  described  several  ways  with  numerous  metaphors. 

Many  compare  the  current  crisis  with  the  lawlessness  to 
that  of  the  Wild  West  and  the  out-dated  tactics  and  race 
to  security  with  the  Cold  War.  When  treated  as  a 
distressed  ecosystem,  the  work  of  both  national  and 
international  agencies  to  eradicate  many  infectious 
diseases  serves  as  a  model  as  how  poor  health  can  be 
corrected  with  proper  resources  and  execution.  Before 
these  issues  are  discussed,  what  cyberspace  actually  is 
must  be  identified.” 

America’s  Cyber  Future:  Security  and 

Prosperity  in  the  Information  Age 

Center  for  a  New  American 
Security 

May  31,  2011 

296 

To  help  U.S.  policy  makers  address  the  growing  danger 
of  cyber  insecurity,  this  two-volume  report  features 
chapters  on  cyber  security  strategy,  policy,  and 
technology  by  some  of  the  world’s  leading  experts  on 
international  relations,  national  security,  and  information 
technology. 

Resilience  of  the  Internet  Interconnection 
Ecosystem 

European  Network  and 
Information  Security  Agency 
(ENISA) 

April  1  1,  201  1 

238 

Part  1:  Summary  and  Recommendations;  Part  II:  State  of 
the  Art  Review  (a  detailed  description  of  the  Internet’s 
routing  mechanisms  and  analysis  of  their  robustness  at 
the  technical,  economic  and  policy  levels.);  Part  III: 

Report  on  the  Consultation  (a  broad  range  of 
stakeholders  were  consulted.  This  part  reports  on  the 
consultation  and  summarizes  the  results).  Part  IV: 
Bibliography  and  Appendices. 

Improving  our  Nation’s  Cybersecurity  through 
the  Public-Private  Partnership:  A  White  Paper 

Business  Software  Alliance, 
Center  for  Democracy  & 
Technology,  U.S.  Chamber  of 
Commerce,  Internet  Security 
Alliance,  Tech  America 

March  8,  201  1 

26 

This  paper  proposes  expanding  the  existing  partnership 
within  the  framework  of  the  National  Infrastructure 
Protection  Plan.  Specifically,  it  makes  a  series  of 
recommendations  that  build  upon  the  conclusions  of 
President  Obama’s  Cyberspace  Policy  Review. 

Cybersecurity  Two  Years  Later 

CSIS  Commission  on 
Cybersecurity  for  the  44th 
Presidency,  Center  for 

Strategic  and  International 
Studies 

January  20 1  1 

22 

From  the  report:  “We  thought  then  [in  2008]  that 
securing  cyberspace  had  become  a  critical  challenge  for 
national  security,  which  our  nation  was  not  prepared  to 
meet....  In  our  view,  we  are  still  not  prepared.” 
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Title 

Source 

Date 

Pages 

Notes 

Toward  Better  Usability,  Security,  and  Privacy 
of  Information  Technology:  Report  of  a 
Workshop 

National  Research  Council 
(NRC) 

September  21, 2010 

70 

Discusses  computer  system  security  and  privacy,  their 
relationship  to  usability,  and  research  at  their 
intersection.  This  is  drawn  from  remarks  made  at  the 
National  Research  Council’s  July  2009  Workshop  on 

Usability,  Security  and  Privacy  of  Computer  Systems  as  well 
as  reports  from  the  NRC's  Computer  Science  and 
Telecommunications  Board  on  security  and  privacy. 

National  Security  Threats  in  Cyberspace 

Joint  Workshop  of  the 

National  Security  Threats  in 
Cyberspace  and  the  National 
Strategy  Forum 

September  15,  2009 

37 

The  two-day  workshop  brought  together  more  than  two 
dozen  experts  with  diverse  backgrounds:  physicists; 
telecommunications  executives;  Silicon  Valley 
entrepreneurs;  federal  law  enforcement,  military, 
homeland  security,  and  intelligence  officials; 
congressional  staffers;  and  civil  liberties  advocates.  For 
two  days  they  engaged  in  an  open-ended  discussion  of 
cyber  policy  as  it  relates  to  national  security,  under 
Chatham  House  Rules:  their  comments  were  for  the 
public  record,  but  they  were  not  for  attribution. 

Note:  Highlights  compiled  by  the  Congressional  Research  Service  (CRS)  from  the  reports. 
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Title 


Table  2.  National  Strategy  forTrusted  Identities  in  Cyberspace  (NSTIC) 


Source 


Date  Pages 


Notes 


Identity  Ecosystem  Framework  (IDESG) 


IDESG  Ongoing 


NIST  Awards  Grants  to  Improve  Online  Security  NIST 

and  Privacy 


September  17, 
2013 


Five  Pilot  Projects  Receive  Grants  to  Promote  NIST  September  20, 

Online  Security  and  Privacy  2012 


Recommendations  for  Establishing  an  Identity  NIST  February  17, 

Ecosystem  Governance  Structure  2012 


Models  for  a  Governance  Structure  for  the  NIST  June  14,201  I 

National  Strategy  for  Trusted  Identities  in 

Cyberspace 


Administration  Releases  Strategy  to  Protect  White  House  April  1 5,  20 1  I 

Online  Consumers  and  Support  Innovation  and 
Fact  Sheet  on  National  Strategy  for  T rusted 
Identities  in  Cyberspace 


N/A  The  NSTIC  called  for  the  establishment  of  a  private  sector-led 
steering  group  to  administer  the  development  and  adoption  of 
the  Identity  Ecosystem  Framework:  the  IDESG.  The  IDESG 
receives  its  authority  to  operate  from  the  active  participation  of 
its  membership  in  accordance  with  the  Rules  of  Association 
which  follow.  The  IDESG  has  been  initiated  with  the  support  of 
NIST.  Following  an  initial  period,  the  IDESG  will  transition  to  a 
self-sustaining  organization. 

N/A  NIST  announced  more  than  $7  million  in  grants  to  support  the 
NSTIC.  The  funding  will  enable  five  U.S.  organizations  to 
develop  pilot  identity  protection  and  verification  systems  that 
offer  consumers  more  privacy,  security,  and  convenience  online. 

N/A  NIST  announced  more  than  $9  million  in  grant  awards  to 

support  the  NSTIC.  Five  U.S.  organizations  will  pilot  identity 
solutions  that  increase  confidence  in  online  transactions, 
prevent  identity  theft,  and  provide  individuals  with  more  control 
over  how  they  share  their  personal  information. 

5 1  NIST  responds  to  comments  received  in  response  to  the 

related  Notice  of  Inquiry  published  in  the  Federal  Register  on 
June  14,  201  I.  This  report  summarizes  the  responses  to  the 
NOI  and  provides  recommendations  and  intended  government 
actions  to  serve  as  a  catalyst  for  establishing  such  a  governance 
structure.  The  recommendations  result  from  comments  and 
suggestions  by  the  NOI  respondents  as  well  as  best  practices 
and  lessons  learned  from  similarly  scoped  governance  efforts. 

4  The  department  seeks  public  comment  from  all  stakeholders, 

including  the  commercial,  academic  and  civil  society  sectors,  and 
consumer  and  privacy  advocates  on  potential  models,  in  the 
form  of  recommendations  and  key  assumptions  in  the  formation 
and  structure  of  the  steering  group. 

N/A  Press  release  on  a  proposal  to  administer  the  processes  for 
policy  and  standards  adoption  for  the  Identity  Ecosystem 
Framework  in  accordance  with  the  National  Strategy  for 
Trusted  Identities  in  Cyberspace  (NSTIC). 
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Title 

Source 

Date 

Pages 

Notes 

National  Strategy  for  T rusted 

Identities  in  Cyberspac 

White  House 

April  15,  201  1 

52 

The  NSTIC  aims  to  make  online  transactions  more  trustworthy, 
thereby  giving  businesses  and  consumers  more  confidence  in 
conducting  business  online. 

National  Strategy  for  T rusted 
Options  for  Enhanced  Online 

Identities  in  Cyberspac 
Security  and  Privacy  (C 

White  House 

June  25,  2010 

39 

The  NSTIC,  which  is  in  response  to  one  of  the  near  term  action 
items  in  the  President’s  Cyberspace  Policy  Review,  calls  for  the 
creation  of  an  online  environment,  or  an  Identity  Ecosystem, 
where  individuals  and  organizations  can  complete  online 
transactions  with  confidence,  trusting  the  identities  of  each 
other  and  the  identities  of  the  infrastructure  where  transaction 

occur. 

Note:  Highlights  compiled  by  CRS  from  the  reports. 
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Table  3.  Cloud  Computing  and  FedRAMP2 


Title 

Source 

Date 

Pages 

Notes 

About  FedRAMP 

General  Services 
Administration 

Ongoing 

N/A 

FedRAMP  is  a  government-wide  program  that 
provides  a  standardized  approach  to  security 
assessment,  authorization,  and  continuous  monitoring 
for  cloud  products  and  services. 

Software  Defined  Perimeter 

Cloud  Security  Alliance 

December  1, 

2013 

13 

The  Software  Defined  Perimeter  (SDP)  initiative  by 
the  Cloud  Security  Alliance  aims  to  make  “invisible 
networks”  accessible  to  a  wider  range  of  government 
agencies  and  corporations.  The  initiative  will  foster 
development  of  an  architecture  for  securing  the 

Internet  of  Things  by  using  the  cloud  to  create  highly 
secure  end-to-end  networks  between  any  IP- 
addressable  entities. 

Delivering  on  the  Promise  of  Big  Data  and  the  Cloud 

Booz,  Allen,  Hamilton 

January  9,  2013 

7 

From  the  report,  “Reference  architecture  does  away 
with  conventional  data  and  analytics  silos, 
consolidating  all  information  into  a  single  medium 
designed  to  foster  connections  called  a  “data  lake," 
which  reduces  complexity  and  creates  efficiencies 
that  improve  data  visualization  to  allow  for  easier 
insights  by  analysts.” 

Cloud  Computing:  An  Overview  of  the  Technology  and 
the  Issues  facing  American  Innovators 

House  Judiciary  Comm., 
Subcom.  on  Intellectual 
Property,  Competition,  and 
the  Internet 

July  25,  2012 

156 

Overview  and  discussion  of  cloud  computing  issues. 

Information  Technology  Reform:  Progress  Made  but 
Future  Cloud  Computing  Efforts  Should  be  Better 

Planned 

GAO 

July  1  1,  2012 

43 

GAO  recommends  that  the  Secretaries  of 

Agriculture,  Health  and  Human  Services,  Homeland 
Security,  State,  and  the  Treasury,  and  the 
Administrators  of  the  General  Services 

Administration  and  Small  Business  Administration 
should  direct  their  respective  CIO  to  establish 
estimated  costs,  performance  goals,  and  plans  to 
retire  associated  legacy  systems  for  each  cloud-based 
service  discussed  in  this  report,  as  applicable. 

Federal  Risk  and  Authorization  Management  Program  (FedRAMP)  is  a  government-wide  program  that  provides  a  standardized  approach  to  security  assessment,  authorization, 
and  continuous  monitoring  for  cloud  products  and  services. 
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Cloud  Computing  Strategy 

DOD,  Chief  Information 
Officer 

July  2012 

44 

The  DOD  Cloud  Computing  Strategy  introduces  an 
approach  to  move  the  department  from  the  current 
state  of  a  duplicative,  cumbersome,  and  costly  set  of 
application  silos  to  an  end  state  which  is  an  agile, 
secure,  and  cost  effective,  and  a  service  environment 
that  can  rapidly  respond  to  changing  mission  needs. 

A  Global  Reality:  Governmental  Access  to  Data  in  the 
Cloud  -  A  Comparative  Analysis  of  Ten  International 
Jurisdictions 

Hogan  Lovells 

May  23,  2012 

13 

This  white  paper  compares  the  nature  and  extent  of 
governmental  access  to  data  in  the  cloud  in  many 
jurisdictions  around  the  world. 

Policy  Challenges  of  Cross-Border  Cloud  Computing 

U.S.  International  Trade 
Commission 

May  2012 

38 

Report  examines  the  main  policy  challenges 
associated  with  cross-border  cloud  computing — data 
privacy,  security,  and  ensuring  the  free  flow  of 
information — and  the  ways  that  countries  are 
addressing  them  through  domestic  policy  making, 
international  agreements,  and  other  cooperative 
arrangements. 

Cloud  Computing  Synopsis  and  Recommendations  (SP 
800-146) 

NIST 

May  2012 

81 

NIST’s  guide  explains  cloud  technologies  in  “plain 
terms”  to  federal  agencies  and  provides 
recommendations  for  IT  decision  makers. 

Global  Cloud  Computing  Scorecard  a  Blueprint  for 
Economic  Opportunity 

Business  Software  Alliance 

February  2, 

2012 

24 

This  report  notes  that  while  many  developed 
countries  have  adjusted  their  laws  and  regulations  to 
address  cloud  computing,  the  wide  differences  in 
those  rules  make  it  difficult  for  companies  to  invest  in 
the  technology. 

Concept  of  Operations:  FedRAMP 

General  Services 
Administration  (GSA) 

February  7, 

2012 

47 

Implementation  of  the  Federal  Risk  and  Authorization 
Management  Program  (FedRAMP)  will  be  in  phases. 

This  document  describes  all  the  services  that  will  be 
available  at  initial  operating  capability — targeted  for 

June  20 1 2.  The  Concept  of  Operations  will  be 
updated  as  the  program  evolves  toward  sustained 
operations. 

Federal  Risk  and  Authorization  Management  Program 
(FedRAMP) 

Federal  CIO  Council 

January  4,  20 1 2 

N/A 

FedRAMP  has  been  established  to  provide  a  standard 
approach  to  Assessing  and  Authorizing  (A&A)  cloud 
computing  services  and  products. 
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Security  Authorization  of  Information  Systems  in  Cloud 
Computing  Environments  (FedRAMP) 

White  House/Office  of 
Management  and  Budget 
(OMB) 

December  8, 

201  1 

7 

FedRAMP  will  now  be  required  for  all  agencies 
purchasing  storage,  applications  and  other  remote 
services  from  vendors.  The  Administration  promotes 
cloud  computing  as  a  means  to  save  money  and 
accelerate  the  government’s  adoption  of  new 
technologies. 

U.S.  Government  Cloud  Computing  Technology 

Roadmap,  Volume  1,  Release  1 .0  (Draft).  High-Priority 
Requirements  to  Further  USG  Agency  Cloud  Computing 
Adoption  (SP  500-293) 

NIST 

December  1, 

201  1 

32 

Volume  1  is  aimed  at  interested  parties  who  wish  to 
gain  a  general  understanding  and  overview  of  the 
background,  purpose,  context,  work,  results,  and 
next  steps  of  the  U.S.  Government  Cloud  Computing 
Technology  Roadmap  initiative. 

U.S.  Government  Cloud  Computing  Technology 

Roadmap,  Release  1.0  (Draft),  Volume  II  Useful 

Information  for  Cloud  Adopters  (SP  500-293) 

NIST 

December  1, 

201  1 

85 

Volume  II  is  designed  as  a  technical  reference  for 
those  actively  working  on  strategic  and  tactical  cloud 
computing  initiatives,  including,  but  not  limited  to, 

U.S.  government  cloud  adopters.  Vol.  II  integrates 
and  summarizes  the  work  completed  to  date  and 
explains  how  these  findings  support  the  roadmap 
introduced  in  Vol.  1. 

Information  Security:  Additional  Guidance  Needed  to 
Address  Cloud  Computing  Concerns 

GAO 

October  6, 

201  1 

17 

Twenty-two  of  24  major  federal  agencies  reported 
that  they  were  either  concerned  or  very  concerned 
about  the  potential  information  security  risks 
associated  with  cloud  computing.  GAO 
recommended  that  the  NIST  issue  guidance  specific 
to  cloud  computing  security. 

Cloud  Computing  Reference  Architecture  (SP  500-292) 

NIST 

September  1, 

201  1 

35 

This  “Special  Publication,"  which  is  not  an  official  U.S. 
government  standard,  is  designed  to  provide  guidance 
to  specific  communities  of  practitioners  and 
researchers. 

Guide  to  Cloud  Computing  for  Policy  Makers 

Software  and  Information 
Industry  Association  (SAII) 

July  26,  2011 

27 

The  SAII  concludes  “that  there  is  no  need  for  cloud- 
specific  legislation  or  regulations  to  provide  for  the 
safe  and  rapid  growth  of  cloud  computing,  and  in  fact, 
such  actions  could  impede  the  great  potential  of 
cloud  computing." 
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Federal  Cloud  Computing  Strategy 

White  House 

February  13, 

201  1 

43 

The  strategy  outlines  how  the  federal  government 
can  accelerate  the  safe,  secure  adoption  of  cloud 
computing,  and  provides  agencies  with  a  framework 
for  migrating  to  the  cloud.  It  also  examines  how 
agencies  can  address  challenges  related  to  the 
adoption  of  cloud  computing,  such  as  privacy, 
procurement,  standards,  and  governance. 

25  Point  Implementation  Plan  to  Reform  Federal 
Information  Technology  Management 

White  House 

December  9, 
2010 

40 

The  plan’s  goals  are  to  reduce  the  number  of 
federally  run  data  centers  from  2,100  to 
approximately  1 ,300,  rectify  or  cancel  one-third  of 
troubled  IT  projects,  and  require  federal  agencies  to 
adopt  a  “cloud  first”  strategy  in  which  they  will  move 
at  least  one  system  to  a  hosted  environment  within  a 

year. 

Notes:  These  reports  analyze  cybersecurity  issues  related  to  the  federal  government’s  adoption  of  cloud  computing  storage  options.  Highlights  compiled  by  CRS  from 
the  reports. 
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Cybersecurity:  Authoritative  Reports  and  Resources,  by  Topic 


CRS  Reports:  Critical  Infrastructure 

•  CRS  Report  R42683,  Critical  Infrastructure  Resilience:  The  Evolution  of  Policy  and 
Programs  and  Issues  for  Congress ,  by  John  D.  Moteff 

•  CRS  Report  RL30153,  Critical  Infrastructures:  Background,  Policy,  and  Implementation, 
by  John  D.  Moteff 

•  CRS  Report  R42660,  Pipeline  Cybersecurity :  Federal  Policy ,  by  Paul  W.  Parfomak 

•  CRS  Report  R4 1 536,  Keeping  America  s  Pipelines  Safe  and  Secure:  Key  Issues  for 
Congress,  by  Paul  W.  Parfomak 

•  CRS  Report  R41886,  The  Smart  Grid  and  Cybersecurity — Regulatory >  Policy  and  Issues, 
by  Richard  J.  Campbell 

•  CRS  Report  R42338,  Smart  Meter  Data:  Privacy  and  Cybersecurity ,  by  Brandon  J. 

Murrill,  Edward  C.  Liu,  and  Richard  M.  Thompson  11 

•  CRS  Report  RL33586,  The  Federal  Networking  and  Information  Technology  Research 
and  Development  Program:  Background,  Funding,  and  Activities,  by  Patricia  Moloney 
Figliola 

CRS  Report  97-868,  Internet  Domain  Names:  Background  and  Policy  Issues,  by  Lennard  G.  Kruger 


Congressional  Research  Service 


12 


Table  4.  Critical  Infrastructure 


Title 

Source 

Date 

Pages 

Notes 

Cybersecurity  for  Energy  Delivery  Systems  Program 
(CEDS) 

Department  of 
Energy,  Office  of 
Electricity 

Delivery  & 

Energy  Reliability 

ongoing 

N/A 

The  program  assists  the  energy  sector  asset  owners  (electric, 
oil,  and  gas)  by  developing  cybersecurity  solutions  for  energy 
delivery  systems  through  integrated  planning  and  a  focused 
research  and  development  effort.  CEDS  co-funds  projects  with 
industry  partners  to  make  advances  in  cybersecurity  capabilities 
for  energy  delivery  systems. 

GridEx 

North  American 
Electric  Reliability 
Corporation 
(NERC) 

ongoing 

N/A 

The  objectives  of  the  NERC  Grid  Security  Exercise  (GridEx) 
series  are  to  use  simulated  scenarios  (with  NO  real-world 
effects)  to  exercise  the  current  readiness  of  participating 
Electricity  Sub-sector  entities  to  respond  to  cyber  or  physical 
security  incidents  and  provide  input  for  security  program 
improvements  to  the  bulk  power  system.  GridEx  is  a  biennial 
international  grid  security  exercise  that  uses  best  practices  and 
other  contributions  from  the  Department  of  Homeland  Security, 
the  Federal  Emergency  Management  Agency,  and  the  National 
Institute  of  Standards  and  Technology. 

Framework  for  Improving  Critical  Infrastructure 
Cybersecurity 

NIST 

February  12, 
2014 

41 

The  voluntary  framework  consists  of  cybersecurity  standards 
that  can  be  customized  to  various  sectors  and  adapted  by  both 
large  and  small  organizations.  Additionally,  so  that  the  private 
sector  may  fully  adopt  this  Framework,  the  Department  of 
Homeland  Security  announced  the  Critical  Infrastructure  Cyber 
Community  (C3) — or  "C-cubed" — Voluntary  Program.  The  C3 
program  gives  companies  that  provide  critical  services  like  cell 
phones,  email,  banking,  energy,  and  state  and  local  governments, 
direct  access  to  cybersecurity  experts  within  DHS  who  have 
knowledge  about  specific  threats,  ways  to  counter  those  threats, 
and  how,  over  the  long  term,  to  design  and  build  systems  that 
are  less  vulnerable  to  cyber  threats. 

ITI  Recommendations  to  the  Department  of  Homeland 
Security  Regarding  its  Work  Developing  a  Voluntary 
Program  Under  Executive  Ordcer  1 63636,  "Improving 
Critical  Infrastructure  Cybersecurity 

Information 
Technology 
Industry  Council 

February  1  1, 
2014 

3 

ITI  released  a  set  of  recommendations  eying  further 
improvement  of  the  framework,  changes  that  call  for  DHS  to 
"de-emphasize  the  current  focus  on  incentives."  Partly,  ITI 
recognizes  the  cyber  order  can  produce  change  even  in  an 
environment  in  which  fiscal  constraints  and  congressional 
inaction  stall  carrots  for  adoption — but  a  bigger  biz  argument, 
made  in  its  report  yesterday,  is  that  ITI  and  others  do  not  want 
incentives  if  they  come  at  the  cost  of  "compliance-based 
programs." 
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The  Federal  Government's  Track  Record  on 

Cybersecurity  and  Critical  Infrastructure 

Sen.  Homeland 
Security  and 
Governmental 
Affairs 

Committee 
(Minority  Staff) 

February  4, 

2013 

19 

Since  2006,  the  federal  government  has  spent  at  least  $65  billion 
on  securing  its  computers  and  networks,  according  to  an 
estimate  by  the  Congressional  Research  Service  (CRS).  The 
National  Institute  of  Standards  and  Technology  (NIST),  the 
government’s  official  body  for  setting  cybersecurity  standards, 
has  produced  thousands  of  pages  of  precise  guidance  on  every 
significant  aspect  of  IT  security.  And  yet  agencies — even  agencies 
with  responsibilities  for  critical  infrastructure,  or  vast 
repositories  of  sensitive  data — continue  to  leave  themselves 
vulnerable,  often  by  failing  to  take  the  most  basic  steps  toward 
securing  their  systems  and  information. 

NIPP  2013:  Partnering  for  Critical  Infrastructure  Security 
and  Resilience 

Department  of 
Homeland 

Security 

2013 

57 

NIPP  2013  meets  the  requirements  of  Presidential  Policy 
Directive-21:  Critical  Infrastructure  Security  and  Resilience, 
signed  in  February  2013.  The  Plan  was  developed  through  a 
collaborative  process  involving  stakeholders  from  all  1 6  critical 
infrastructure  sectors,  all  50  states,  and  from  all  levels  of 
government  and  industry.  It  provides  a  clear  call  to  action  to 
leverage  partnerships,  innovate  for  risk  management,  and  focus 
on  outcomes 

World  Federation  of  Exchanges  (WFE)  Launches  Global 
Cyber  Security  Committee 

World 

Federation  of 
Exchanges 

December  12, 
2013 

N/A 

The  WFE  announced  the  launch  of  the  exchange  industry’s  first 
cyber  security  committee  with  a  mission  to  aid  in  the  protection 
of  the  global  capital  markets.  The  working  group  will  bring 
together  representation  from  a  number  of  exchanges  and 
clearinghouses  across  the  globe,  to  collaborate  on  best  practices 
in  global  security. 

The  Critical  Infrastructure  Gap:  U.S.  Port  Facilities  and 
Cyber  Vulnerabilities 

Brookings 

Institution/ 

Center  for  21st 
Century  Security 
and  Intelligence 

July  2013 

50 

The  study  argues  that  the  level  of  cyber  security  awareness  and 
culture  in  U.S.  port  facilities  is  relatively  low  and  that  a 
cyberattack  at  a  major  U.S.  port  would  quickly  cause  significant 
damage  to  the  economy. 

FFIEC  Forms  Cybersecurity  and  Critical  Infrastructure 
Working  Group 

Federal  Financial 

Institutions 
Examination 
Council  (FFIEC) 

June  6,2013 

2 

FFIEC  formed  a  working  group  to  further  promote  coordination 
across  the  federal  and  state  banking  regulatory  agencies  on 
critical  infrastructure  and  cybersecurity  issues. 

Electric  Grid  Vulnerability:  Industry  Responses  Reveal 
Security  Gaps 

Rep.  Edward 
Markey  and  Rep. 
Henry  Waxman 

May  21,  2013 

35 

The  report  found  that  less  than  a  quarter  of  investor-owned 
utilities  and  less  than  half  of  municipal  and  cooperation-owned 
utilities  followed  through  with  voluntary  standards  issued  by  the 
Federal  Energy  Regulatory  Commission  after  the  Stuxnet  worm 
struck  in  2010. 
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Initial  Analysis  of  Cybersecurity  Framework  RFI 
Responses 


Joint  Working  Group  on  Improving  Cybersecurity  and 
Resilience  Through  Acquisition,  Notice  of  Request  for 
Information 


Version  5  Critical  Infrastructure  Protection  Reliability 
Standards  (Notice  of  Proposed  Rulemaking) 


NIST 


General  Services 
Administration 


Federal  Energy 

Regulatory 

Commission 
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May  20,  2013 


May  13,  2013 


April  24,  2013 


33  Comments  on  the  challenges  of  protecting  the  nation’s  critical 
infrastructure  have  identified  a  handful  of  issues  for  the  more 
than  200  people  and  organizations  who  responded  to  a  formal 
request  for  information.  NIST  has  released  an  initial  analysis  of 
243  responses  to  the  Feb.  26  RFI.  The  analysis  will  form  the 
basis  for  an  upcoming  workshop  at  Carnegie  Mellon  University 
in  Pittsburgh  as  NIST  moves  forward  on  creating  a  cybersecurity 
framework  for  essential  energy,  utility,  and  communications 
systems. 

3  Among  other  things,  PPD-2 1  requires  the  General  Services 

Administration,  in  consultation  with  DOD  and  DHS,  to  jointly 
provide  and  support  government-wide  contracts  for  critical 
infrastructure  systems  and  ensure  that  such  contracts  include 
audit  rights  for  the  security  and  resilience  of  critical 
infrastructure. 

18  FERC  proposes  to  approve  the  Version  5  Critical  Infrastructure 
Protection  Reliability  Standards,  CIP-002-5  through  CIP-01  I -I, 
submitted  by  the  North  American  Electric  Reliability 
Corporation,  the  Commission-certified  Electric  Reliability 
Organization.  The  proposed  Reliability  Standards,  which  pertain 
to  the  cyber  security  of  the  bulk  electric  system,  represent  an 
improvement  over  the  current  Commission-approved  CIP 
Reliability  Standards  as  they  adopt  new  cyber  security  controls 
and  extend  the  scope  of  the  systems  that  are  protected  by  the 
CIP  Reliability  Standards. 


Notes 
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Wireless  Cybersecurity  Syracuse  April  2013 

University  New 
York,  Dept,  of 
Electrical 
Engineering  and 
Computer 
Science 


Incentives  To  Adopt  Improved  Cybersecurity  Practices  NIST  and  the  March  28,  2013 

National 
Telecommunica¬ 
tions  and 
Information 
Administration 


Cybersecurity:  The  Nation's  Greatest  Threat  to  Critical  U.S.  Army  War  March  20 1 3 
Infrastructure  College 


SCADA  and  Process  Control  Security  Survey 


SANS  Institute  February  I, 
2013 


1 67  This  project  dealt  with  various  threats  in  wireless  networks, 

including:  eavesdropping  in  a  broadcast  channel,  non-cooperative 
eavesdropping  in  a  single-source  single-sink  planar  network,  and 
primary  user  emulation  attack  in  a  cognitive  radio  network.  The 
major  contributions  were:  detailed  analysis  of  performance 
trade-off  in  the  presence  of  the  eavesdropping  threat;  a 
combined  encoding  and  routing  approach  that  provides  provable 
security  against  non-cooperating  eavesdropping;  and  a  physical 
layer  approach  to  counter  the  primary  emulation  attack.  The 
research  results  under  this  effort  significantly  advanced  our 
understanding  on  some  of  the  fundamental  trade-offs  among 
various  performance  metrics  in  a  wireless  system.  Practically 
feasible  wireless  security  measures  were  also  obtained  that 
could  lead  to  more  assured  operations  in  which  secured 
wireless  networks  play  an  indispensable  role.  This  project  led  to 
one  PhD  dissertation,  one  pending  patent  application,  two 
archival  journal  papers  and  a  number  of  peer-reviewed 
conference  papers. 

N/A  The  Department  of  Commerce  (DOC)  is  investigating  ways  to 
incentivize  companies  and  organizations  to  improve  their 
cybersecurity.  To  better  understand  what  stakeholders  -  such  as 
companies,  trade  associations,  academics  and  others  -  believe 
would  best  serve  as  incentives,  the  department  has  released  a 
series  of  questions  to  gather  public  comments  in  a  Notice  of 
Inquiry. 

38  This  paper  provides  a  background  of  what  constitutes  national 
critical  infrastructure  and  Critical  Infrastructure  Protection 
(CIP);  discusses  the  immense  vulnerabilities,  threats,  and  risks 
associated  in  the  protection  of  critical  infrastructure;  and 
outlines  governance  and  responsibilities  of  protecting  vulnerable 
infrastructure.  The  paper  makes  recommendations  for  federal 
responsibilities  and  legislation  to  direct  nation  critical 
infrastructure  efforts  to  ensure  national  security,  public  safety, 
and  economic  stability. 

1 9  SANS  Institute  surveyed  professionals  who  work  with  SCADA 
and  process  control  systems.  Of  the  nearly  700  respondents, 
70%  said  they  consider  their  SCADA  systems  to  be  at  high  or 
severe  risk;  one-third  of  them  suspect  that  they  have  been 
already  been  infiltrated. 
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Follow-up  Audit  of  the  Department’s  Cyber  Security 
Incident  Management  Program 

U.S.  Department 
of  Energy 

Inspector 

General’s  Office 

December  20 1 2 

25 

In  2008,  the  Department's  Cyber  Security  Incident  Management 
Program  (DOE/IG-0787,  January  2008)  reported  the  department 
and  National  Nuclear  Security  Administration  (NNSA) 
established  and  maintained  a  number  of  independent,  at  least 
partially  duplicative,  cyber  security  incident  management 
capabilities.  Several  issues  were  identified  that  limited  the 
efficiency  and  effectiveness  of  the  department's  cyber  security 
incident  management  program  and  adversely  affected  the  ability 
of  law  enforcement  to  investigate  incidents.  In  response  to  the 
finding,  management  concurred  with  the  recommendations  and 
indicated  that  it  had  initiated  actions  to  address  the  issues 
identified. 

Terrorism  and  the  Electric  Power  Delivery  System 

National 

Academies  of 
Science 

November  20 1 2 

146 

Focuses  on  measures  that  could  make  the  electric  power 
delivery  system  less  vulnerable  to  attacks,  restore  power  faster 
after  an  attack,  and  make  critical  services  less  vulnerable  when 
the  delivery  of  conventional  electric  power  has  been  disrupted. 

New  FERC  Office  to  Focus  on  Cyber  Security 

U.S.  Department 
of  Energy 

September  20, 
2012 

N/A 

The  Federal  Energy  Regulatory  Commission  (FERC)  announced 
the  creation  of  the  agency’s  new  Office  of  Energy  Infrastructure 
Security,  which  will  work  to  reduce  threats  to  the  electric  grid 
and  other  energy  facilities.  The  goal  is  for  the  office  to  help 

FERC,  and  other  agencies  and  private  companies,  better  identify 
potential  dangers  and  solutions. 

Canvassing  the  Targeting  of  Energy  Infrastructure:  The 
Energy  Infrastructure  Attack  Database 

Journal  of  Energy 
Security 

August  7,  2012 

8 

The  Energy  Infrastructure  Attack  Database  (EIAD)  is  a  non¬ 
commercial  dataset  that  structures  information  on  reported 
(criminal  and  political)  attacks  to  energy  infrastructure  (El) 
(worldwide)  since  1980,  by  non-state  actors.  In  building  this 
resource,  the  objective  was  to  develop  a  product  that  could  be 
broadly  accessible  and  also  connect  to  existing  available 
resources 

Smart-Grid  Security 

Center  for 
Infrastructure 

Protection  and 
Homeland 

Security,  George 
Mason  School  of 

Law 

August  2012 

26 

Highlights  the  significance  of  and  the  challenges  with  securing  the 
smart  grid. 
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Cybersecurity:  Challenges  in  Securing  the  Electricity  Grid 

GAO 

July  17,  2012 

25 

In  a  prior  report,  GAO  made  recommendations  related  to 
electricity  grid  modernization  efforts,  including  developing  an 
approach  to  monitor  compliance  with  voluntary  standards. 

These  recommendations  have  not  yet  been  implemented. 

Energy  Department  Develops  Tool  with  Industry  to  Help 
Utilities  Strengthen  Their  Cybersecurity  Capabilities 

U.S.  Department 
of  Energy 

June  28,  2012 

N/A 

The  Cybersecurity  Self-Evaluation  Tool  uses  best  practices  that 
were  developed  for  the  Electricity  Subsector  Cybersecurity 
Capability  Maturity  Model  Initiative,  which  involved  a  series  of 
workshops  with  the  private  sector  to  draft  a  maturity  model 
that  can  be  used  throughout  the  electric  sector  to  better 
protect  the  grid. 

ICS-CERT  Incident  Response  Summary  Report,  2009- 
201  1 

U.S.  Industrial 
Control  System 
Cyber  Emergency 
Response  Team 
(ICS-CERT) 

May  9,  2012 

17 

The  number  of  reported  cyberattacks  on  U.S.  critical 
infrastructure  increased  sharply — from  9  incidents  in  2009  to 

198  in  201  1;  water  sector-specific  incidents,  when  added  to  the 
incidents  that  affected  several  sectors,  accounted  for  more  than 
half  of  the  incidents;  in  more  than  half  of  the  most  serious  cases, 
implementing  best  practices  such  as  login  limitation  or  properly 
configured  firewall,  would  have  deterred  the  attack,  reduced  the 
time  it  would  have  taken  to  detect  an  attack,  and  minimize  its 
impact. 

Cybersecurity  Risk  Management  Process  (Electricity 
Subsector) 

Department  of 
Energy,  Office  of 
Electricity 

Delivery  & 

Energy  Reliability 

May  2012 

96 

The  guideline  describes  a  risk  management  process  that  is 
targeted  to  the  specific  needs  of  electricity  sector  organizations. 
The  objective  of  the  guideline  is  to  build  upon  existing  guidance 
and  requirements  to  develop  a  flexible  risk  management  process 
tuned  to  the  diverse  missions,  equipment,  and  business  needs  of 
the  electric  power  industry. 

ICT  Applications  for  the  Smart  Grid:  Opportunities  and 
Policy  Implications 

Organization  for 
Economic  Co¬ 
operation  and 
Development 
(OECD) 

January  10,  2012 

44 

This  report  discusses  “smart”  applications  of  information  and 
communication  technologies  (ICTs)  for  more  sustainable  energy 
production,  management  and  consumption.  The  report  outlines 
policy  implications  for  government  ministries  dealing  with 
telecommunications  regulation,  ICT  sector  and  innovation 
promotion,  and  consumer  and  competition  issues. 

The  Department’s  Management  of  the  Smart  Grid 
Investment  Grant  Program 

Department  of 
Energy  (DOE) 
Inspector 

General 

January  20,  2012 

21 

According  to  the  Inspector  General,  DOE's  rush  to  award 
stimulus  grants  for  projects  under  the  next  generation  of  the 
power  grid,  known  as  the  Smart  grid,  resulted  in  some  firms 
receiving  funds  without  submitting  complete  plans  for  how  to 
safeguard  the  grid  from  cyberattacks. 
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Critical  Infrastructure  Protection:  Cybersecurity 

Guidance  Is  Available,  but  More  Can  Be  Done  to 

Promote  Its  Use 

Government 
Accountability 
Office  (GAO) 

December  9, 

201  1 

77 

According  to  GAO,  given  the  plethora  of  guidance  available, 
individual  entities  within  the  sectors  may  be  challenged  in 
identifying  the  guidance  that  is  most  applicable  and  effective  in 
improving  their  security  posture.  Improved  knowledge  of  the 
available  guidance  could  help  both  federal  and  private-sector 
decision  makers  better  coordinate  their  efforts  to  protect 
critical  cyber-reliant  assets. 

The  Future  of  the  Electric  Grid 

Massachusetts 
Institute  of 
Technology  (MIT) 

December  5, 

201  1 

39 

Chapter  1  provides  an  overview  of  the  status  of  the  grid,  the 
challenges  and  opportunities  it  will  face,  and  major 
recommendations.  To  facilitate  selective  reading,  detailed 
descriptions  of  the  contents  of  each  section  in  Chapters  2-9  are 
provided  in  each  chapter’s  introduction,  and  recommendations 
are  collected  and  briefly  discussed  in  each  chapter's  final  section. 
(See  Chapter  9,  Data  Communications,  Cybersecurity,  and 
Information  Privacy,  pages  208-234). 

FCC's  Plan  for  Ensuring  the  Security  of 
Telecommunications  Networks 

Federal 

Communications 

Commission 

(FCC) 

June  3,  201  1 

1 

FCC  Chairman  Genachowski's  response  to  letter  from  Rep. 

Anna  Eshoo  dated  November  2,  2010,  re:  concerns  about  the 
implications  of  foreign-controlled  telecommunications 
infrastructure  companies  providing  equipment  to  the  U.S. 
market. 

Cyber  Infrastructure  Protection 

U.S.  Army  War 
College 

May  9,  2011 

324 

Part  1  deals  with  strategic  and  policy  cybersecurity-related 
issues  and  discusses  the  theory  of  cyberpower,  Internet 
survivability,  large  scale  data  breaches,  and  the  role  of 
cyberpower  in  humanitarian  assistance.  Part  2  covers  social  and 
legal  aspects  of  cyber  infrastructure  protection  and  discusses  the 
attack  dynamics  of  political  and  religiously  motivated  hackers. 

Part  3  discusses  the  technical  aspects  of  cyber  infrastructure 
protection,  including  the  resilience  of  data  centers,  intrusion 
detection,  and  a  strong  emphasis  on  Internet  protocol  (IP) 
networks. 

In  the  Dark:  Crucial  Industries  Confront  Cyberattacks 

McAfee  and 

Center  for 

Strategic  and 
International 
Studies  (CSIS) 

April  21,  201  1 

28 

The  study  reveals  an  increase  in  cyberattacks  on  critical 
infrastructure  such  as  power  grids,  oil,  gas,  and  water;  the  study 
also  shows  that  that  many  of  the  world’s  critical  infrastructures 
lacked  protection  of  their  computer  networks,  and  reveals  the 
cost  and  impact  of  cyberattacks 
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Cybersecurity:  Continued  Attention  Needed  to  Protect 
Our  Nation’s  Critical  Infrastructure  and  Federal 
Information  Systems 


Government  March  16,2011 

Accountability 

Office  (GAO) 


Federal  Energy  Regulatory  Commission’s  Monitoring  of  Department  of  January  26,  201  I 
Power  Grid  Cyber  Security  Energy  Office  of 

Inspector 

General 


Electricity  Grid  Modernization:  Progress  Being  Made  on  Government  January  12,  201  I 

Cybersecurity  Guidelines,  but  Key  Challenges  Remain  to  Accountability 
be  Addressed  Office  (GAO) 


Partnership  for  Cybersecurity  Innovation  White  House  December  6, 

(Office  of  Science  20 1 0 

&  Technology 

Policy) 


17  According  to  GAO,  executive  branch  agencies  have  made 

progress  instituting  several  government-wide  initiatives  that  are 
aimed  at  bolstering  aspects  of  federal  cybersecurity,  such  as 
reducing  the  number  of  federal  access  points  to  the  Internet, 
establishing  security  configurations  for  desktop  computers,  and 
enhancing  situational  awareness  of  cyber  events.  Despite  these 
efforts,  the  federal  government  continues  to  face  significant 
challenges  in  protecting  the  nation's  cyber-reliant  critical 
infrastructure  and  federal  information  systems. 

30  NERC  developed  Critical  Infrastructure  Protection  (CIP)  cyber 
security  reliability  standards  which  were  approved  by  the  FERC 
in  January  2008.  Although  the  Commission  had  taken  steps  to 
ensure  CIP  cyber  security  standards  were  developed  and 
approved,  NERC’s  testing  revealed  that  such  standards  did  not 
always  include  controls  commonly  recommended  for  protecting 
critical  information  systems.  In  addition,  the  CIP  standards 
implementation  approach  and  schedule  approved  by  the 
Commission  were  not  adequate  to  ensure  that  systems-related 
risks  to  the  nation's  power  grid  were  mitigated  or  addressed  in 
a  timely  manner. 

50  “To  reduce  the  risk  that  NIST’s  smart  grid  cybersecurity 

guidelines  will  not  be  as  effective  as  intended,  the  Secretary  of 
Commerce  should  direct  the  Director  of  NIST  to  finalize  the 
agency's  plan  for  updating  and  maintaining  the  cybersecurity 
guidelines,  including  ensuring  it  incorporates  (I)  missing  key 
elements  identified  in  this  report,  and  (2)  specific  milestones  for 
when  efforts  are  to  be  completed.  Also,  as  a  part  of  finalizing  the 
plan,  the  Secretary  of  Commerce  should  direct  the  Director  of 
NIST  to  assess  whether  any  cybersecurity  challenges  identified 
in  this  report  should  be  addressed  in  the  guidelines.” 

4  The  Obama  Administration  released  a  Memorandum  of 
Understanding  signed  by  DOC’s  NIST,  DHS’s  Science  and 
Technology  Directorate  (DHS/S&T),  and  the  Financial  Services 
Sector  Coordinating  Council  (FSSCC).  The  goal  of  the 
agreement  is  to  speed  up  the  commercialization  of  cybersecurity 
research  innovations  that  support  the  nation’s  critical 
infrastructures. 
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WIB  Security  Standard  Released 

International 
Instrument  Users 

Association 

(WIB) 

November  10, 
2010 

The  Netherlands-based  WIB,  an  international  organization  that 
represents  global  manufacturers  in  the  industrial  automation 
industry,  announced  the  second  version  of  the  Process  Control 
Domain  Security  Requirements  For  Vendors  document — the 
first  international  standard  that  outlines  a  set  of  specific 
requirements  focusing  on  cyber  security  best  practices  for 
suppliers  of  industrial  automation  and  control  systems. 

Information  Security  Management  System  for  Microsoft 
Cloud  Infrastructure 

Microsoft 

November  20 1 0 

15 

This  study  describes  the  standards  Microsoft  follows  to  address 
current  and  evolving  cloud  security  threats.  It  also  depicts  the 
internal  structures  within  Microsoft  that  handle  cloud  security 
and  risk  management  issues. 

NIST  Finalizes  Initial  Set  of  Smart  Grid  Cyber  Security 
Guidelines 

National  Institute 
of  Standards  and 
Technology 
(NIST) 

September  2, 

2010 

N/A 

NIST  released  a  three-volume  set  of  recommendations  relevant 
to  securing  the  Smart  Grid.  The  guidelines  address  a  variety  of 
topics,  including  high-level  security  requirements,  a  risk 
assessment  framework,  an  evaluation  of  privacy  issues  in 
residences  and  recommendations  for  protecting  the  evolving 
grid  from  attacks,  malicious  code,  cascading  errors,  and  other 
threats. 

Critical  Infrastructure  Protection:  Key  Private  and  Public 
Cyber  Expectations  Need  to  Be  Consistently  Addressed 

Government 
Accountability 
Office  (GAO) 

July  15,  2010 

38 

Private-sector  stakeholders  reported  that  they  expect  their 
federal  partners  to  provide  usable,  timely,  and  actionable  cyber 
threat  information  and  alerts;  access  to  sensitive  or  classified 
information;  a  secure  mechanism  for  sharing  information; 
security  clearances;  and  a  single  centralized  government 
cybersecurity  organization  to  coordinate  government  efforts. 
However,  according  to  private  sector  stakeholders,  federal 
partners  are  not  consistently  meeting  these  expectations. 

The  Future  of  Cloud  Computing 

Pew  Research 
Center’s  Internet 
&  American  Life 
Project 

June  1  1,  2010 

26 

Technology  experts  and  stakeholders  expect  they  will  “live 
mostly  in  the  cloud”  in  2020  and  not  on  the  desktop,  working 
mostly  through  cyberspace-based  applications  accessed  through 
networked  devices. 

The  Reliability  of  Global  Undersea  Communications  Cable 
Infrastructure  (The  ROGUCCI  Report) 

lEEE/EastWest 

Institute 

May  26,  2010 

186 

This  study  submits  12  major  recommendations  to  private  sector, 
governments  and  other  stakeholders — especially  the  financial 
sector — for  the  purpose  of  improving  the  reliability,  robustness, 
resilience,  and  security  of  the  world’s  undersea  communications 
cable  infrastructure. 

CRS-21 


Title 

Source 

Date 

Pages 

Notes 

NSTB  Assessments  Summary  Report:  Common  Industrial 
Control  System  Cyber  Security  Weaknesses 

Department  of 
Energy,  Idaho 
National 
Laboratory 

May  2010 

123 

Computer  networks  controlling  the  electric  grid  are  plagued 
with  security  holes  that  could  allow  intruders  to  redirect  power 
delivery  and  steal  data.  Many  of  the  security  vulnerabilities  are 
strikingly  basic  and  fixable  problems. 

Explore  the  reliability  and  resiliency  of  commercial 
broadband  communications  networks 

Federal 

Communications 

Commission 

(FCC) 

April  21,  2010 

N/A 

The  FCC  launched  an  inquiry  into  the  ability  of  existing 
broadband  networks  to  withstand  significant  damage  or  severe 
overloads  as  a  result  of  natural  disasters,  terrorist  attacks, 
pandemics  or  other  major  public  emergencies,  as  recommended 
in  the  National  Broadband  Plan. 

Security  Guidance  for  Critical  Areas  of  Focus  in  Cloud 
Computing  V2. 1 

Cloud  Security 
Alliance 

December  2009 

76 

From  the  report,  “Through  our  focus  on  the  central  issues  of 
cloud  computing  security,  we  have  attempted  to  bring  greater 
clarity  to  an  otherwise  complicated  landscape,  which  is  often 
filled  with  incomplete  and  oversimplified  information.  Our  focus 
...  serves  to  bring  context  and  specificity  to  the  cloud  computing 
security  discussion:  enabling  us  to  go  beyond  gross 
generalizations  to  deliver  more  insightful  and  targeted 
recommendations.” 

21  Steps  to  Improve  Cyber  Security  of  SCADA  Networks 

U.S.  Department 
of  Energy, 
Infrastructure 
Security  and 

Energy 

Restoration 

January  1 , 2007 

10 

The  President’s  Critical  Infrastructure  Protection  Board  and  the 
Department  of  Energy  have  developed  steps  to  help  any 
organization  improve  the  security  of  its  SCADA  networks.  The 
steps  are  divided  into  two  categories:  specific  actions  to  improve 
implementation,  and  actions  to  establish  essential  underlying 
management  processes  and  policies. 

Note:  Highlights  compiled  by  CRS  from  the  reports. 
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Cybersecurity:  Authoritative  Reports  and  Resources,  by  Topic 


CRS  Reports  and  Other  CRS  Products:  Cybercrime  and  National  Security 

•  CRS  Report  97-1025,  Cybercrime:  An  Overview  of  the  Federal  Computer  Fraud  and 
Abuse  Statute  and  Related  Federal  Criminal  Laws ,  by  Charles  Doyle 

•  CRS  Report  94-166,  Extraterritorial  Application  of  American  Criminal  Law,  by  Charles 
Doyle 

•  CRS  Report  R42403,  Cybersecurity:  Cyber  Crime  Protection  Security  Act  (S.  2111,  112th 
Congress) — A  Legal  Analysis,  by  Charles  Doyle 

•  CRS  Report  98-326,  Privacy:  An  Overview  of  Federal  Statutes  Governing  Wiretapping 
and  Electronic  Eavesdropping,  by  Gina  Stevens  and  Charles  Doyle 

•  CRS  Report  RL32706,  Spyware:  Background  and  Policy  Issues  for  Congress,  by  Patricia 
Moloney  Figliola 

•  CRS  Report  CRS  Report  R41975,  Illegal  Internet  Streaming  of  Copyrighted  Content: 

Legislation  in  the  112th  Congress,  by  Brian  T.  Yeh 

•  CRS  Report  R42112,  Online  Copyright  Infringement  and  Counterfeiting:  Legislation  in 
the  112th  Congress,  by  Brian  T.  Yeh 

•  CRS  Report  R40599,  Identity >  Theft:  Trends  and  Issues,  by  Kristin  Finklea 

•  CRS  Report  R41927,  The  Interplay  of  Borders,  Turf,  Cyberspace,  and  Jurisdiction: 

Issues  Confronting  U.S.  Law  Enforcement ,  by  Kristin  Finklea 

•  CRS  Report  RL3465 1 ,  Protection  of  Children  Online:  Federal  and  State  Laws 
Addressing  Cyberstalking,  Cyberharassment,  and  Cyberbullying,  by  Alison  M.  Smith 

•  CRS  Report  R42547,  Cybercrime:  Conceptual  Issues  for  Congress  and  U.S.  Law 
Enforcement,  by  Kristin  Finklea  and  Catherine  A.  Theohary 

•  CRS  Legal  Sidebar,  Legal  Barriers  to  an  Expanded  Role  of  the  Militaiy  in  Defending 
Against  Domestic  Cyber  attacks,  Andrew  Nolan 

•  CRS  Legal  Sidebar,  Obstacles  to  Private  Sector  Cyber  Threat  Information  Sharing, 

Edward  C.  Liu 

•  CRS  Legal  Sidebar,  Online  Banking  Fraud:  Liability  for  Unauthorized  Payment  from 
Business  Checking  Account,  M.  Maureen  Murphy 


Congressional  Research  Service 
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Table  5.  Cybercrime,  Data  Breaches,  and  Data  Security 
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ThreatWatch 

NextGov 

Ongoing 

N/A 

ThreatWatch  is  a  snapshot  of  the  data  breaches  hitting 

organizations  and  individuals,  globally,  on  a  daily  basis.  It  is  not  an 
authoritative  list,  since  many  compromises  are  never  reported  or 
even  discovered.  The  information  is  based  on  accounts  published 
by  outside  news  organizations  and  researchers. 

Trade  associations  representing  the  merchant  and  financial 
services  industries  announced  a  new  cybersecurity  partnership. 
The  partnership  will  focus  on  exploring  paths  to  increased 
information  sharing,  better  card  security  technology,  and 
maintaining  the  trust  of  customers.  Discussion  regarding  the 
partnership  was  initiated  by  the  Retail  Industry  Leaders 
Association  (RILA)  and  the  Financial  Services  Roundtable  (FSR), 
joined  by  the  American  Bankers  Association  (ABA),  the  American 
Hotel  &  Lodging  Association  (AH&LA),  The  Clearing  House 
(TCH),  the  Consumer  Bankers  Association  (CBA),  the  Food 
Marketing  Institute  (FMI),  the  Electronic  Transactions  Association 
(ETA),  the  Independent  Community  Bankers  of  America  (ICBA), 
the  International  Council  of  Shopping  Centers  (ICSC),  the 
National  Associations  of  Convenience  Stores  (NACS),  the 
National  Grocers  Association  (NGA),  the  National  Restaurant 
Association  (NRA),  and  the  National  Retail  Federation  (NRF). 

The  FTC  announces  its  50th  data  security  settlement.  What 
started  in  2002  with  a  single  case  applying  established  FTC  Act 
precedent  to  the  area  of  data  security  has  grown  into  an 
enforcement  program  that  has  helped  to  increase  protections  for 
consumers  and  has  encouraged  companies  to  make  safeguarding 
consumer  data  a  priority. 

The  report  is  a  collection  of  top  cyber-threats  that  have  been 
assessed  in  the  reporting  period  (i.e.,  within  2013).  ENISA  has 
collected  over  250  reports  regarding  cyber-threats,  risks,  and 
threat  agents.  ETL  2013  is  a  comprehensive  compilation  of  the  top 
1 5  cyber-threats  assessed. 


Merchant  and  Financial  Trade  Associations  Announce 
Cybersecurity  Partnership 


Retail  Industry 

Leaders 

Association 


February  13, 
2014 


N/A 


FTC  Statement  Marking  the  FTC's  50th  Data  Security  Federal  Trade  January  3  I 

Settlement  Commission  2014 


ENISA  Threat  Landscape  20 1 3  -  Overview  of  Current  and 
Emerging  Cyber-Threats 


European  Union 
Agency  for 
Network  and 
Information 
Security  (ENISA) 


December 
I  I,  2013 


70 
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Cyber-enabled  Competitive  Data  Theft:  A  Framework  for 
Modeling  Long-Run  Cybersecurity  Consequences 

Brookings 

Institution 

December 

2013 

18 

Economic  espionage  has  existed  at  least  since  the  industrial 
revolution,  but  the  scope  of  modern  cyber-enabled  competitive 
data  theft  may  be  unprecedented.  With  this  paper,  Friedman, 
Mack-Crane,  and  Hammond  present  what  they  believe  is  the  first 
economic  framework  and  model  to  understand  the  long-run 
impact  of  competitive  data  theft  on  an  economy  by  taking  into 
account  the  actual  mechanisms  and  pathways  by  which  theft  harms 
the  victims. 

Trends  in  Incident  Response  in  2013 

ICS-CERT 

Monitor 

October- 

December 

2013 

14 

In  2013,  ICS-CERT  responded  to  256  incidents  reported  either 
directly  from  asset  owners  or  through  other  trusted  partners. 

The  majority  of  these  incidents  were  initially  detected  in  business 
networks  of  critical  infrastructure  organizations  that  operate 
industrial  control  systems  (ICS).  Of  the  256  reported  incidents, 
59%,  or  1 5 1  incidents,  occurred  in  the  energy  sector,  which 
exceeded  all  incidents  reported  in  other  sectors  combined. 

Illicit  Cyber  Activity  Involving  Fraud 

Carnegie  Mellon 

University 

Software 

Engineering 

Institute 

August  8, 

2013 

28 

Technical  and  behavioral  patterns  were  extracted  from  80  fraud 
cases — 67  insider  and  1 3  external — that  occurred  between  2005 
and  the  present.  These  cases  were  used  to  develop  insights  and 
risk  indicators  to  help  private  industry,  government,  and  law 
enforcement  more  effectively  prevent,  deter,  detect,  investigate, 
and  manage  malicious  insider  activity  within  the  banking  and 
finance  sector. 

The  Economic  Impact  of  Cybercrime  and  Cyber  Espionage 

Center  for 
Strategic  and 
International 

Studies 

July  22,  2013 

20 

Losses  to  the  United  States  (the  country  where  data  is  most 
accessible)  may  reach  $100  billion  annually.  The  cost  of 
cybercrime  and  cyber  espionage  to  the  global  economy  is  some 
multiple  of  this,  likely  measured  in  hundreds  of  billions  of  dollars. 

Cyber-Crime,  Securities  Markets,  and  Systemic  Risk 

World 

Federation  of 
Exchanges 
(WFE)  and  the 
International 
Organization  of 
Securities 
Commissions 
(IOSCO) 

July  16,  2013 

59 

This  report  explores  the  nature  and  extent  of  cyber-crime  in 
securities  markets  so  far;  the  potential  systemic  risk  aspects  of 
this  threat;  and  presents  the  results  of  a  survey  to  the  world’s 
exchanges  on  their  experiences  with  cyber-crime,  cyber-security 
practices  and  perceptions  of  the  risk. 
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Towards  Trustworthy  Social  Media  and  Crowdsourcing 

Wilson  Center 

May  2013 

12 

Individuals  and  organizations  interested  in  using  social  media  and 
crowdsourcing  currently  lack  two  key  sets  of  information:  a 
systematic  assessment  of  the  vulnerabilities  in  these  technologies 
and  a  comprehensive  set  of  best  practices  describing  how  to 
address  those  vulnerabilities.  Identifying  those  vulnerabilities  and 
developing  those  best  practices  are  necessary  to  address  a 
growing  number  of  cybersecurity  incidents  ranging  from  innocent 
mistakes  to  targeted  attacks  that  have  claimed  lives  and  cost 
millions  of  dollars. 

Remaking  American  Security:  Supply  Chain  Vulnerabilities 
&  National  Security  Risks  Across  the  U.S.  Defense 

Industrial  Base 

Alliance  for 

American 

Manufacturing 

May  2013 

355 

Because  the  supply  chain  is  global,  it  makes  sense  for  U.S.  officials 
to  cooperate  with  other  nations  to  ward  off  cyberattacks. 

Increased  international  cooperation  to  secure  the  integrity  of  the 
global  IT  system  is  a  valuable  long-term  objective. 

HoneyMap  -  Visualizing  Worldwide  Attacks  in  Real-Time, 
and  Honeynet  Map 

The  Honeynet 
Project 

October  1, 
2012 

N/A 

The  HoneyMap  shows  a  real-time  visualization  of  attacks  against 
the  Honeynet  Project’s  sensors  deployed  around  the  world. 

Does  Cybercrime  Really  Cost  $1  Trillion? 

ProPublica 

August  1, 

2012 

N/A 

In  a  news  release  to  announce  its  2009  report,  “Unsecured 
Economies:  Protecting  Vital  Information,”  computer  security  firm 
McAfee  estimated  a  trillion  dollar  global  cost  for  cybercrime.  The 
number  does  not  appear  in  the  report  itself.  McAfee’s  trillion- 
dollar  estimate  is  questioned  even  by  the  three  independent 
researchers  from  Purdue  University  whom  McAfee  credits  with 
analyzing  the  raw  data  from  which  the  estimate  was  derived.  An 
examination  of  their  origins  by  ProPublica  has  found  new  grounds 
to  question  the  data  and  methods  used  to  generate  these 
numbers,  which  McAfee  and  Symantec  say  they  stand  behind. 

Information  Security:  Cyber  Threats  Facilitate  Ability  to 
Commit  Economic  Espionage 

GAO 

June  28, 

2012 

20 

This  statement  discusses  (1)  cyber  threats  facing  the  nation’s 
systems,  (2)  reported  cyber  incidents  and  their  impacts,  (3) 
security  controls  and  other  techniques  available  for  reducing  risk, 
and  (4)  the  responsibilities  of  key  federal  entities  in  support  of 
protecting  IP. 

Measuring  the  Cost  of  Cybercrime 

1  Ith  Annual 
Workshop  on 
the  Economics  of 
Information 
Security 

June  25, 

2012 

N/A 

From  the  report,  “For  each  of  the  main  categories  of  cybercrime 
we  set  out  what  is  and  is  not  known  of  the  direct  costs,  indirect 
costs  and  defence  costs  -  both  to  the  UK  and  to  the  world  as  a 
whole.” 
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The  Impact  of  Cybercrime  on  Businesses 

Ponemon 

Institute 

May  2012 

21 

The  study  found  that  targeted  attacks  on  businesses  cost 
enterprises  an  average  of  $214,000.  The  expenses  are  associated 
with  forensic  investigations,  investments  in  technology,  and  brand 
recovery  costs. 

Proactive  Policy  Measures  by  Internet  Service  Providers 
against  Botnets 

Organisation  for 
Economic  Co¬ 
operation  and 
Development 

May  7,  2012 

25 

This  report  analyzes  initiatives  in  a  number  of  countries  through 
which  end-users  are  notified  by  ISPs  when  their  computer  is 
identified  as  being  compromised  by  malicious  software  and 
encouraged  to  take  action  to  mitigate  the  problem. 

Developing  State  Solutions  to  Business  Identity  Theft: 
Assistance,  Prevention  and  Detection  Efforts  by  Secretary 
of  State  Offices 

National 
Association  of 
Secretaries  of 

State 

January  2012 

23 

This  white  paper  is  the  result  of  efforts  by  the  1 9-member  NASS 
Business  Identity  Theft  Task  Force  to  develop  policy  guidelines 
and  recommendations  for  state  leaders  dealing  with  identity  fraud 
cases  involving  public  business  records. 

Twenty  Critical  Security  Controls  for  Effective  Cyber 
Defense:  Consensus  Audit  Guidelines  (CAG) 

SANS 

October  3, 

201  1 

77 

The  20  security  measures  are  intended  to  focus  agencies’  limited 
resources  on  plugging  the  most  common  attack  vectors. 

Revealed:  Operation  Shady  RAT:  an  Investigation  Of 
Targeted  Intrusions  Into  70+  Global  Companies, 
Governments,  and  Non-Profit  Organizations  During  the 
Last  5  Years 

McAfee 

August  2, 

201  1 

14 

A  cyber-espionage  operation  lasting  many  years  penetrated  72 
government  and  other  organizations,  most  of  them  in  the  United 
States,  and  has  copied  everything  from  military  secrets  to 
industrial  designs,  according  to  technology  security  company 

McAfee.  (See  page  4  for  the  types  of  compromised  parties,  page  5 
for  the  geographic  distribution  of  victim’s  country  of  origin,  pages 

7-9  for  the  types  of  victims,  and  pages  10-13  for  the  number  of 
intrusions  for  2007-2010). 

The  Role  of  Internet  Service  Providers  in  Botnet 

Mitigation:  an  Empirical  Analysis  Bases  on  Spam  Data 

Organisation  for 
Economic  Co¬ 
operation  and 
Development 

November 

12,  2010 

31 

This  working  paper  considers  whether  ISPs  can  be  critical  control 
points  for  botnet  mitigation,  how  the  number  of  infected  machines 
varies  across  ISPs,  and  why. 

Untangling  Attribution:  Moving  to  Accountability  in 
Cyberspace  [Testimony] 

Council  on 

Foreign  Relations 

July  15,  2010 

14 

Robert  K.  Knake’s  testimony  before  the  House  Committee  on 
Science  and  Technology  on  the  role  of  attack  attribution  in 
preventing  cyberattacks  and  how  attribution  technologies  can 
affect  the  anonymity  and  the  privacy  of  Internet  users. 

Technology,  Policy,  Law,  and  Ethics  Regarding  U.S. 
Acquisition  and  Use  of  Cyberattack  Capabilities 

National 

Research 

Council 

2009 

368 

This  report  explores  important  characteristics  of  cyberattack.  It 
describes  the  current  international  and  domestic  legal  structure  as 
it  might  apply  to  cyberattack,  and  considers  analogies  to  other 
domains  of  conflict  to  develop  relevant  insights. 

Note:  Highlights  compiled  by  CRS  from  the  reports. 
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Emerging  Cyber  Threats  Report  2014 

Georgia  Institute 
of  Technology 

January  2014 

16 

Brief  compilation  of  academic  research  on  Losing  Control  of 

Cloud  Data,  Insecure  but  Connected  Devices,  Attackers  Adapt  to 
Mobile  Ecosystems,  Costs  of  Defending  Against  Cyber  Attacks 
Remain  High,  Information  Manipulation  Advances. 

Cybersecurity  and  Cyberwar:  What  Everyone  Needs  to 
Know 

Singer,  Peter  W. 
and  Allan 

Friedman 

(Brookings 

Institution) 

January  2014 

306 

The  book  looks  at  cybersecurity  issues  faced  by  the  military, 
government,  businesses  and  individuals,  and  what  happens  when 
they  try  to  balance  security  with  freedom  of  speech  and  the  ideals 
of  an  open  Internet. 

Cyber-enabled  Competitive  Data  Theft:  A  Framework  for 
Modeling  Long-Run  Cybersecurity  Consequences 

Brookings 

Institution 

December 

2013 

18 

Economic  espionage  has  existed  at  least  since  the  industrial 
revolution,  but  the  scope  of  modern  cyber-enabled  competitive 
data  theft  may  be  unprecedented.  With  this  paper,  Friedman, 
Mack-Crane,  and  Hammond  present  what  they  believe  is  the  first 
economic  framework  and  model  to  understand  the  long-run 
impact  of  competitive  data  theft  on  an  economy  by  taking  into 
account  the  actual  mechanisms  and  pathways  by  which  theft 
harms  the  victims. 

To  Kill  a  Centrifuge:  A  Technical  Analysis  of  What 

Stuxnet’s  Creators  Tried  to  Achieve 

The  Langner 
Group 

November 

2013 

36 

This  document  summarizes  the  most  comprehensive  research  on 
the  Stuxnet  malware  so  far:  It  combines  results  from  reverse 
engineering  the  attack  code  with  intelligence  on  the  design  of  the 

attacked  plant  and  background  information  on  the  attacked 
uranium  enrichment  process.  It  looks  at  the  attack  vectors  of  the 
two  different  payloads  contained  in  the  malware  and  especially 
provides  an  analysis  of  the  bigger  and  much  more  complex 
payload  that  was  designed  to  damage  centrifuge  rotors  by 
overpressure.  With  both  attack  vectors  viewed  in  context, 
conclusions  are  drawn  about  the  reasoning  behind  a  radical 
change  of  tactics  between  the  complex  earlier  attack  and  the 
comparatively  simple  later  attack  that  tried  to  manipulate 
centrifuge  rotor  speeds. 
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20 1 3  Annual  Report  to  Congress 

U.S.-China 

Economic 

Commission 

October  20, 
2013 

465 

In  2013,  the  Commission  continued  its  close  examination  of 
China’s  cyber  capabilities.  Strong  evidence  has  emerged  that  the 
Chinese  government  is  directing  and  executing  a  large-scale  cyber 
espionage  campaign  against  the  United  States,  including  the  U.S. 
government  and  private  companies.  However,  the  public 
exposure  of  Chinese  cyber  espionage  in  2013  has  apparently  not 
changed  China’s  attitude  about  the  use  of  cyber  espionage  to 
steal  intellectual  property  and  proprietary  information.  (See: 
Chapter  2,  Section  2:  “China's  Cyber  Activities.”) 

W32.Duqu:  The  Precursor  to  the  Next  Stuxnet 

Symantec 

November 

14,  2013 

N/A 

On  October  14,  201  1,  a  research  lab  with  strong  international 
connections  alerted  Symantec  to  a  sample  that  appeared  to  be 
very  similar  to  Stuxnet,  the  malware  which  wreaked  havoc  in 

Iran’s  nuclear  centrifuge  farms  last  summer.  The  lab  named  the 
threat  “Duqu”  because  it  creates  files  with  the  file  name  prefix 
“DQ”.  The  research  lab  provided  Symantec  with  samples 
recovered  from  computer  systems  located  in  Europe,  as  well  as  a 
detailed  report  with  their  initial  findings,  including  analysis 
comparing  the  threat  to  Stuxnet. 

Offensive  Cyber  Capabilities  at  the  Operational  Level  - 
The  Way  Ahead 

Center  for 
Strategic  & 
International 
Studies  (CSIS) 

September 

16,  2013 

20 

The  specific  question  this  report  examines  is  whether  the 

Defense  Department  should  make  a  more  deliberate  effort  to 
explore  the  potential  of  offensive  cyber  tools  at  levels  below  that 
of  a  combatant  command. 

Cyber-Warfare:  Is  the  risk  of  cyber-warfare  overrated? 

The  Economist 

August  2, 

2013 

N/A 

( Economist  Debates  adapt  the  Oxford  style  of  debating  to  an 
online  forum.  Each  side  has  three  chances  to  persuade  readers: 
opening,  rebuttal  and  closing).  "Separating  hype  from  the  urgent 
questions  is  hard.  Amid  talk  of  a  "digital  Pearl  Harbour"  and 
"advanced  persistent  threats"  it  is  hard  to  know  whether  we  are 
really  "losing  the  war"  against  the  purveyors  and  users  of  malware 
and  digital  weapons.” 

The  Economic  Impact  of  Cybercrime  and  Cyber  Espionage 

Center  for 
Strategic  and 
International 
Studies 

July  22,  2013 

20 

Losses  to  the  United  States  (the  country  where  data  is  most 
accessible)  may  reach  $100  billion  annually.  The  cost  of 
cybercrime  and  cyber  espionage  to  the  global  economy  is  some 
multiple  of  this  likely  measured  in  hundreds  of  billions  of  dollars. 
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Role  of  Counterterrorism  Law  in  Shaping  ‘ad  Bellum'  International  Law 

Norms  for  Cyber  Warfare  Studies  (U.S. 

Naval  War 
College) 


The  Tallinn  Manual  on  the  International  Law  Applicable  to 
Cyber  Warfare 


Cambridge 
University  Press/ 
NATO 
Cooperative 
Cyber  Defence 
Center  of 
Excellence 


Cyberterrorism:  A  Survey  of  Researcherso 


Swansea 

University 


APTI:  Exposing  One  of  China’s  Cyber  Espionage  Units  Mandiant 


Video  demo  of  Chinese  hacker  activity  Mandiant 

(click  on  “APTI  Video”  at  top  right  of  screen) 
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April  I, 
2013 


March  5, 
2013 


March  2013 


February  19, 
2013 


February  19, 
2013 


42  The  prospect  of  cyber  war  has  evolved  from  science  fiction  and 
over-the-top  doomsday  depictions  on  television,  films,  and  in 
novels  to  reality  and  front-page  news...  To  date  there  has  been 
little  attention  given  to  the  possibility  that  international  law 
generally  and  counterterrorism  law  in  particular  could  and  should 
develop  a  subset  of  cyber-counterterrorism  law  to  respond  to 
the  inevitability  of  cyberattacks  by  terrorists  and  the  use  of  cyber 
weapons  by  governments  against  terrorists,  and  to  supplement 
existing  international  law  governing  cyber  war  where  the 
intrusions  do  not  meet  the  traditional  kinetic  thresholds. 

302  The  Tallinn  Manual  identifies  the  international  law  applicable  to 
cyber  warfare  and  sets  out  95  ‘black-letter  rules’  governing  such 
conflicts.  An  extensive  commentary  accompanies  each  rule,  which 
sets  forth  each  rules’  basis  in  treaty  and  customary  law,  explains 
how  the  group  of  experts  interpreted  applicable  norms  in  the 
cyber  context,  and  outlines  any  disagreements  within  the  group 
as  to  each  rules’  application.  (Note:  The  manual  is  not  an  official 
NATO  publication,  but  an  expression  of  opinions  of  a  group  of 
independent  experts  acting  solely  in  their  personal  capacity.) 

21  This  report  provides  an  overview  of  findings  from  a  project 

designed  to  capture  current  understandings  of  cyberterrorism 
within  the  research  community.  The  project  ran  between  June 
and  November  2012,  and  employed  a  questionnaire  which  was 
distributed  to  over  600  researchers,  authors  and  other  experts. 
Potential  respondents  were  identified  using  a  combination  of 
methods,  including  targeted  literature  reviews,  standing  within 
relevant  academic  communities,  snowballing  from  earlier 
participants  or  contacts,  and  the  use  of  two  mailing  lists.  I  18 
responses  were  received  in  total,  from  individuals  working  in  24 
countries  across  six  continents.  Please  contact  the  research  team 
with  any  enquiries  on  the  project’s  methods  and  findings  (see  p. 

21  for  contact  details). 

76  The  details  analyzed  during  hundreds  of  investigations  signal  that 
the  groups  conducting  these  activities  (computer  security 
breaches  around  the  world)  are  based  primarily  in  China  and  that 
the  Chinese  government  is  aware  of  them. 

N/A  Video  of  APTI  attacker  sessions  and  intrusion  activities  (5-minute 
video). 
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Crisis  and  Escalation  in  Cyberspace 

RAND  Corp. 

December 

2012 

200 

The  report  considers  how  the  Air  Force  should  integrate  kinetic 
and  nonkinetic  operations.  Central  to  this  process  was  careful 
consideration  of  how  escalation  options  and  risks  should  be 
treated,  which,  in  turn,  demanded  a  broader  consideration  across 
the  entire  crisis-management  spectrum.  Such  crises  can  be 
managed  by  taking  steps  to  reduce  the  incentives  for  other  states 
to  step  into  crisis,  by  controlling  the  narrative,  understanding  the 
stability  parameters  of  the  crises,  and  trying  to  manage  escalation 
if  conflicts  arise  from  crises. 

Cyberattacks  Among  Rivals:  200 1  -20 1  1  (from  the  article, 
“The  Fog  of  Cyberwar”  by  Brandon  Variano  and  Ryan 
Maness  (subscription  required) 

Foreign  Affairs 

November 

21, 2012 

N/A 

A  chart  showing  cyberattacks  by  initiator  and  victim,  200 1  -20 1  1 . 

Emerging  Cyber  Threats  Report  20 1 3 

Georgia  Institute 
of  Technology 

November 

14,  2012 

9 

The  year  ahead  will  feature  new  and  increasingly  sophisticated 
means  to  capture  and  exploit  user  data,  escalating  battles  over 
the  control  of  online  information  and  continuous  threats  to  the 
U.S.  supply  chain  from  global  sources.  (From  the  annual  Georgia 
Tech  Cyber  Security  Summit  2012). 

Proactive  Defense  for  Evolving  Cyber  Threats 

Sandia  National 
Labs 

November 

2012 

98 

The  project  applied  rigorous  predictability-based  analytics  to  two 
central  and  complementary  aspects  of  the  network  defense 
problem — attack  strategies  of  the  adversaries  and  vulnerabilities 
of  the  defenders’  systems — and  used  the  results  to  develop  a 
scientifically-grounded,  practically-implementable  methodology  for 
designing  proactive  cyber  defense  systems. 

Safeguarding  Cyber-Security,  Fighting  in  Cyberspace 

International 
Relations  and 
Security 

Network  (ISN) 

October  22, 
2012 

N/A 

Looks  at  the  militarization  of  cyber  security  as  a  source  of  global 
tension,  and  makes  the  case  that  cyber-warfare  is  already  an 
essential  feature  of  many  leading  states’  strategic  calculations, 
followed  by  its  opposite — i.e.,  one  that  believes  the  threat  posed 
by  cyber-warfare  capabilities  is  woefully  overstated. 

Before  We  Knew  It:  An  Empirical  Study  of  Zero-Day 
Attacks  In  The  Real  World 

Symantec 

Research  Labs 

October  1 6, 
2012 

12 

The  paper  describes  a  method  for  automatically  identifying  zero- 
day  attacks  from  field-gathered  data  that  records  when  benign 
and  malicious  binaries  are  downloaded  on  1  1  million  real  hosts 
around  the  world.  Searching  this  data  set  for  malicious  files  that 
exploit  known  vulnerabilities  indicates  which  files  appeared  on  the 
Internet  before  the  corresponding  vulnerabilities  were  disclosed. 

Investigative  Report  on  the  U.S.  National  Security  Issues 
Posed  by  Chinese  Telecommunications  Companies 

Huawei  and  ZTE 

House 

Permanent  Select 
Committee  on 
Intelligence 

October  8, 
2012 

60 

The  committee  initiated  this  investigation  in  November  2011  to 
inquire  into  the  counterintelligence  and  security  threat  posed  by 
Chinese  telecommunications  companies  doing  business  in  the 
United  States. 
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Federal  Support  for  and  Involvement  in  State  and  Local 
Fusion  Centers 

U.S.  Senate 
Permanent 

Subcommittee  on 
Investigations 

October  3, 
2012 

141 

A  two-year  bipartisan  investigation  found  that  U.S.  Department  of 
Homeland  Security  efforts  to  engage  state  and  local  intelligence 
“fusion  centers”  has  not  yielded  significant  useful  information  to 
support  federal  counterterrorism  intelligence  efforts.  In  Section 

VI,  “Fusion  Centers  Have  Been  Unable  to  Meaningfully 

Contribute  to  Federal  Counterterrorism  Efforts,”  Part  G,  “Fusion 
Centers  May  Have  Hindered,  Not  Aided,  Federal 
Counterterrorism  Efforts,”  the  report  discusses  the  Russian 
“Cyberattack”  in  Illinois. 

Putting  the  “war”  in  cyberwar:  Metaphor,  analogy,  and 
cybersecurity  discourse  in  the  United  States 

First  Monday 

July  2,2012 

N/A 

This  essay  argues  that  current  contradictory  tendencies  are 
unproductive  and  even  potentially  dangerous.  It  argues  that  the 
war  metaphor  and  nuclear  deterrence  analogy  are  neither  natural 
nor  inevitable  and  that  abandoning  them  would  open  up  new 
possibilities  for  thinking  more  productively  about  the  full 
spectrum  of  cyber  security  challenges,  including  the  as-yet 
unrealized  possibility  of  cyber  war. 

Nodes  and  Codes:  The  Reality  of  Cyber  Warfare 

U.S.  Army  School 
of  Advanced 
Military  Studies, 
Command  and 
General  Staff 

May  17, 

2012 

62 

Explores  the  reality  of  cyber  warfare  through  the  story  of 

Stuxnet.  Three  case  studies  evaluate  cyber  policy,  discourse,  and 
procurement  in  the  United  States,  Russia,  and  China  before  and 
after  Stuxnet  to  illustrate  their  similar,  yet  unique,  realities  of 
cyber  warfare. 

A  Cyberworm  that  Knows  No  Boundaries 

RAND 

December 

21, 201  1 

55 

Stuxnet-like  worms  pose  a  serious  threat  even  to  infrastructure 
and  computer  systems  that  are  not  connected  to  the  Internet. 
However,  defending  against  such  attacks  is  an  increasingly 
complex  prospect. 

Department  of  Defense  Cyberspace  Policy  Report:  A 
Report  to  Congress  Pursuant  to  the  National  Defense 
Authorization  Act  for  Fiscal  Year  2011,  Section  934 

DOD 

November 

201  1 

14 

From  the  report:  “When  warranted,  we  will  respond  to  hostile 
attacks  in  cyberspace  as  we  would  to  any  other  threat  to  our 
country.  We  reserve  the  right  to  use  all  necessary  means  - 
diplomatic,  informational,  military  and  economic  -  to  defend  our 
nation,  our  allies,  our  partners  and  our  interests.” 

Cyber  War  Will  Not  Take  Place 

Journal  of 

Strategic  Studies 

October  5, 
2011 

29 

The  paper  argues  that  cyber  warfare  has  never  taken  place,  is  not 
currently  taking  place,  and  is  unlikely  to  take  place  in  the  future. 
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USCYBERCOM  and  Cyber  Security:  Is  a  Comprehensive 
Strategy  Possible? 

Army  War 

College 

May  12, 

201  1 

32 

Examine  five  aspects  of  USCYBERCOM:  organization,  command 
and  control,  computer  network  operations  (CNO), 
synchronization,  and  resourcing.  Identify  areas  that  currently 
present  significant  risk  to  USCYBERCOM’s  ability  to  create  a 
strategy  that  can  achieve  success  in  its  cyberspace  operations. 
Recommend  potential  solutions  that  can  increase  the 
effectiveness  of  the  USCYBERCOM  strategy. 

A  Four-Day  Dive  Into  Stuxnet’s  Heart 

Threat  Level  Blog 
(Wired) 

December 

27,  2010 

N/A 

From  the  article,  “It  is  a  mark  of  the  extreme  oddity  of  the 

Stuxnet  computer  worm  that  Microsoft’s  Windows  vulnerability 
team  learned  of  it  first  from  an  obscure  Belarusian  security 
company  that  even  they  had  never  heard  of.” 

Did  Stuxnet  Take  Out  1,000  Centrifuges  at  the  Natanz 
Enrichment  Plant?  Preliminary  Assessment 

Institute  for 

Science  and 

International 

Security 

December 

22,  2010 

10 

This  report  indicates  that  commands  in  the  Stuxnet  code 
intended  to  increase  the  frequency  of  devices  targeted  by  the 
malware  exactly  match  several  frequencies  at  which  rotors  in 
centrifuges  at  Iran’s  Natanz  enrichment  plant  are  designed  to 
operate  optimally  or  are  at  risk  of  breaking  down  and  flying  apart. 

Stuxnet  Analysis 

European 

Network  and 
Information 
Security  Agency 

October  7, 
2010 

N/A 

EU  cybersecurity  agency  warns  that  the  Stuxnet  malware  is  a 
game  changer  for  critical  information  infrastructure  protection; 

PLC  controllers  of  SCADA  systems  infected  with  the  worm 
might  be  programmed  to  establish  destructive  over/under 
pressure  conditions  by  running  pumps  at  different  frequencies. 

Proceedings  of  a  Workshop  on  Deterring  Cyberattacks: 
Informing  Strategies  and  Developing  Options  for  U.S. 

Policy 

National 

Research  Council 

October  5, 
2010 

400 

Per  request  of  the  Office  of  the  Director  of  National  Intelligence, 
the  National  Research  Council  undertook  a  two-phase  project 
aimed  to  foster  a  broad,  multidisciplinary  examination  of 
strategies  for  deterring  cyberattacks  on  the  United  States  and  of 
the  possible  utility  of  these  strategies  for  the  U.S.  government. 

Notes:  Highlights  compiled  by  CRS  from  the  reports. 
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Table  7.  International  Efforts 


Title 

Source 

Date 

Pages 

Notes 

The  Cyber  Hub 

Booz  Allen  Hamilton  and 
the  Economist  Intelligence 
Unit 

Ongoing 

N/A 

The  Cyber  Hub's  content  was  built  on  several  integral 
parts:  an  index  that  assesses  specific  aspects  of  the  cyber 
environment  of  the  G20  countries,  and  a  series  of 
research  papers  that  examine  the  implications  for  the 
business  community. 

Cybersecurity  Legislation 

International 

Telecommunications  Union 

Ongoing 

N/A 

An  integral  and  challenging  component  of  any  national 
Cybersecurity  strategy  is  the  adoption  of  regionally  and 
internationally  harmonized,  appropriate  legislation  against 
the  misuse  of  ICTs  for  criminal  or  other  purposes. 

Cyber  Security  Strategy:  Progress  So  Far 

UK  Cabinet  Office 

Ongoing 

N/A 

From  the  report,  “To  support  the  Strategy  we  put  in 
place  a  National  Cyber  Security  Programme  (NCSP) 
backed  by  £650  million  of  funding  to  20 1 5.  This  year  we 
increased  that  investment  with  a  further  £210  million  in 

20 1 5  to  20 1 6.  This  funding  will  build  on  existing  projects 
and  also  support  new  investment,  enabling  the  UK  to 
retain  its  emerging  reputation  as  a  leader  in  the  field  of 
cyber  security.” 

10  Steps  to  Cyber  Security 

UK  Dept,  for  Business 
Innovation  &  Skills  (BIS)  and 
the  Centre  for  the 

Protection  of  National 
Infrastructure  (CPNI) 

February  4,  2014 

20 

The  joint  communique  outlines  steps  UK  regulators  and 
government  departments  have  agreed  to  undertake  to 
improve  the  country's  cyber  systems  and  networks 
defenses.  The  steps  to  combat  cyberattacks  include 
assessing  the  state  of  cybersecurity  across  each  sector 

and  working  with  industry  to  address  vulnerabilities; 
working  with  industry  to  increase  information  flows  on 
threat  vulnerabilities  and  mitigation  strategies; 
encouraging  companies  to  join  information  sharing 
initiatives,  such  as  the  Cyber  Security  Information  Sharing 
Partnership,  a  partnership  between  the  U.K.  government 
and  industry  to  share  information  and  intelligence  on 
cybersecurity  threats  launched  in  March  2013;  and 
encouraging  companies  to  undertake  a  self-assessment 
pursuant  to  guidance  published  by  the  U.K.  Department 
for  Business,  Innovation  and  Skills. 
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Title 


Source 


20 1 3  Joint  Report 


U.S. -Russia  Bilateral 
Presidential  Commission 


(BPC) 


World  Federation  of  Exchanges  (WFE)  Launches  World  Federation  of 
Global  Cyber  Security  Committee  Exchanges 


Handbook  on  European  Data  Protection  Law  Council  of  Europe 


20 1 3  Annual  Report  to  Congress 


U.S. -China  Economic 
Commission 
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Date 


Pages 


Notes 


December  27,  20 1 3 


December  1 2,  20 1 3 


December  20 1  3 


October  20,  2013 


40  The  report  includes  updates  from  each  of  the  BPC’s  21 
working  groups.  See  the  Working  Group  on  the  Threats 
to  and  in  the  use  of  Information  Communications 
Technologies  in  the  Context  of  International  Service 
section  on  pages  I  I  - 1 2.  A  key  component  of  the 
discussion  concerned  the  implementation  of  the  bilateral 
confidence  building  measures  (CBMs)  announced  by 
Presidents  Obama  and  Putin  in  June  20 1 3.  These  bilateral 
CBMs  are  intended  to  promote  transparency  and  reduce 
the  possibility  that  an  incident  related  to  the  use  of  ICTs 
could  unintentionally  cause  instability  or  escalation. 

N/A  The  WFE  announced  the  launch  of  the  exchange 

industry’s  first  cyber  security  committee  with  a  mission 
to  aid  in  the  protection  of  the  global  capital  markets.  The 
working  group  will  bring  together  representation  from  a 
number  of  exchanges  and  clearinghouses  across  the 
globe,  to  collaborate  on  best  practices  in  global  security. 

2 1 4  This  handbook  is  a  first  point  of  reference  on  both  EU 
law  and  the  European  Convention  on  Human  Rights 
(ECHR)  on  data  protection,  and  it  explains  how  this  field 
is  regulated  under  EU  law  and  under  the  ECHR  as  well  as 
the  CoE  Convention  for  the  Protection  of  Individuals 
with  regard  to  Automatic  Processing  of  Personal  Data 
(Convention  108)  and  other  CoE  instruments.  Each 
chapter  first  presents  a  single  table  of  the  applicable  legal 
provisions,  including  important  selected  case  law  under 
the  two  separate  European  legal  systems. 

465  In  2013,  the  Commission  continued  its  close  examination 
of  China’s  cyber  capabilities.  Strong  evidence  has 
emerged  that  the  Chinese  government  is  directing  and 
executing  a  large-scale  cyber  espionage  campaign  against 
the  United  States,  including  the  U.S.  government  and 
private  companies.  However,  the  public  exposure  of 
Chinese  cyber  espionage  in  2013  has  apparently  not 
changed  China’s  attitude  about  the  use  of  cyber 
espionage  to  steal  intellectual  property  and  proprietary 
information.  (See:  Chapter  2,  Section  2:  “China’s  Cyber 
Activities.”) 


Title 


Source 


Directive  of  the  European  Parliament  and  of  the  European  Parliament  Civil 
Council  on  Attacks  Against  Information  Systems  Liberties  Committee 


Confidence  Building  Measures  and  International  |^-j  4  peace  Foundation 
Cybersecurity 


FACT  SHEET:  U.S.-Russian  Cooperation  on  White  House 

Information  and  Communications  Technology 

Security 


Telecommunications  Networks:  Addressing  Government  Accountability 

Potential  Security  Risks  of  Foreign-Manufactured  Office 

Equipment 


CRS-36 


Date 


Pages 


Notes 


August  12,  2013 


June  21, 2013 


June  17,2013 


May  21,  2013 


7  The  objectives  of  the  Directive  are  to  approximate  the 
criminal  law  of  the  Member  States  in  the  area  of  attacks 
against  information  systems  by  establishing  minimum 
rules  concerning  the  definition  of  criminal  offences  and 
the  relevant  sanctions  and  to  improve  cooperation 
between  competent  authorities,  including  the  police  and 
other  specialized  law  enforcement  services  of  the 
Member  States,  as  well  as  the  competent  specialized 
Union  agencies  and  bodies,  such  as  Eurojust,  Europol  and 
its  European  Cyber  Crime  Centre,  and  the  European 
Network  and  Information  Security  Agency  (ENISA). 

21  Confidence  building  measures  can  serve  to  lay  the 

foundation  for  agreeing  on  acceptable  norms  of  behavior 
for  states  as  well  as  confidence  and  trust  building 
measures  to  avoid  miscalculation  and  escalation.  The 
report  is  divided  into  four  main  sections:  (I) 
Transparency,  Compliance,  and  Verification  Measures; 

(2)  Cooperative  Measures;  (3)  Collaboration  and 
Communication  Mechanisms;  and  (4)  Stability  and 
Restraint  Measures.  A  final  section  discusses  next  steps 
for  diplomatic  CBM  processes. 

N/A  The  United  States  and  the  Russian  Federation  are 

creating  a  new  working  group,  under  the  auspices  of  the 
Bilateral  Presidential  Commission,  dedicated  to  assessing 
emerging  ICT  threats  and  proposing  concrete  joint 
measures  to  address  them.  This  group  will  begin  its 
practical  activities  within  the  next  month. 

52  The  federal  government  has  begun  efforts  to  address  the 
security  of  the  supply  chain  for  commercial  networks... 
There  are  a  variety  of  other  approaches  for  addressing 
the  potential  risks  posed  by  foreign-manufactured 
equipment  in  commercial  communications  networks, 
including  those  approaches  taken  by  foreign 
governments...  While  these  approaches  are  intended  to 
improve  supply  chain  security  of  communications 
networks,  they  may  also  create  the  potential  for  trade 
barriers,  additional  costs,  and  constraints  on 
competition,  which  the  federal  government  would  have 
to  take  into  account  if  it  chose  to  pursue  such 
approaches. 


Title 


Source 


The  Global  Cyber  Game:  Achieving  Strategic 
Resilience  in  the  Global  Knowledge  Society 


Military  and  Security  Developments  Involving  the 
People’s  Republic  of  China  2013  (Annual  Report 
to  Congress) 


Defence  White  Paper  20 1 3 


Remaking  American  Security:  Supply  Chain 
Vulnerabilities  &  National  Security  Risks  Across 
the  U.S.  Defense  Industrial  Base 


Cyber  Security  Information  Partnership  (CISP) 


Defence  Academy  of  the 
United  Kingdom 


Department  of  Defense 


Australia  Department  of 
Defence 


Alliance  for  American 
Manufacturing 


Cabinet  Office,  United 
Kingdom 
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May  8,  2013 


May  6,  2013 


May  3,  2013 


May  2013 


March  27,  2013 


1 27  Provides  a  systematic  way  of  thinking  about  cyberpower 
and  its  use  by  a  range  of  global  players.  The  global 
cyberpower  contest  is  framed  as  a  Global  Cyber  Game, 
played  out  on  a  ‘Cyber  Gameboard' — a  framework  that 
can  be  used  for  strategic  and  tactical  thinking  about 
cyber  strategy. 

92  China  is  using  its  computer  network  exploitation 

capability  to  support  intelligence  collection  against  the 
U.S.  diplomatic,  economic,  and  defense  industrial  base 
sectors  that  support  U.S.  national  defense  programs.  The 
information  targeted  could  potentially  be  used  to  benefit 
China’s  defense  industry,  high-technology  industries, 
policy  maker  interest  in  U.S.  leadership  thinking  on  key 
China  issues,  and  military  planners  building  a  picture  of 
U.S.  network  defense  networks,  logistics,  and  related 
military  capabilities  that  could  be  exploited  during  a 
crisis. 

148  The  Australian  Cyber  Security  Centre  will  bring  together 
security  capabilities  from  the  Defence  Signals 
Directorate,  Defence  Intelligence  Organisation, 

Australian  Security  Intelligence  Organisation  (ASIO),  the 
Attorney-General’s  Department’s  Computer  Emergency 
Response  Team  (CERT)  Australia,  Australian  Federal 
Police  (AFP)  and  the  Australian  Crime  Commission 
(ACC). 

355  Because  the  supply  chain  is  global,  it  makes  sense  for  U.S. 
officials  to  cooperate  with  other  nations  to  ward  off 
cyberattacks.  Increased  international  cooperation  to 
secure  the  integrity  of  the  global  IT  system  is  a  valuable 
long-term  objective. 

N/A  CISP  introduces  a  secure  virtual  ‘collaboration 

environment’  where  government  and  industry  partners 
can  exchange  information  on  threats  and  vulnerabilities 
in  real  time.  CISP  will  be  complemented  by  a  ‘Fusion 
Cell,’  which  will  be  supported  on  the  government  side  by 
the  Security  Service,  GCHQ  and  the  National  Crime 
Agency,  and  by  industry  analysts  from  a  variety  of 
sectors. 


Title 

Source 

Date 

Pages 

Notes 

The  Tallinn  Manual  on  the  International  Law 
Applicable  to  Cyber  Warfare 

Cambridge  University  Press/ 
NATO  Cooperative  Cyber 
Defence  Center  of 

Excellence 

March  5,  2013 

302 

The  Tallinn  Manual  identifies  the  international  law 
applicable  to  cyber  warfare  and  sets  out  95  ‘black-letter 
rules’  governing  such  conflicts.  An  extensive  commentary 
accompanies  each  rule,  which  sets  forth  each  rules’  basis 
in  treaty  and  customary  law,  explains  how  the  group  of 
experts  interpreted  applicable  norms  in  the  cyber 
context,  and  outlines  any  disagreements  within  the  group 
as  to  each  rules’  application.  (Note:  The  manual  is  not  an 
official  NATO  publication,  but  an  expression  of  opinions 
of  a  group  of  independent  experts  acting  solely  in  their 
personal  capacity.) 

APTI:  Exposing  One  of  China’s  Cyber  Espionage 
Units 

Mandiant 

February  19,  2013 

76 

The  details  analyzed  during  hundreds  of  investigations 
signal  that  the  groups  conducting  these  activities 
(computer  security  breaches  around  the  world)  are 
based  primarily  in  China  and  that  the  Chinese 
government  is  aware  of  them. 

Worldwide  Threat  Assessment  of  the  U.S. 
Intelligence  Community  (Testimony) 

James  Clapper,  Director  of 
National  Intelligence 

February  1  1 ,  20 1 3 

34 

Clapper  provided  an  assessment  of  global  threats:  U.S. 
critical  infrastructure,  eroding  U.S.  economic  and 
national  security,  information  control  and  Internet 
governance,  and  hactivists  and  criminals. 

Linking  Cybersecurity  Policy  and  Performance 

Microsoft  Trustworthy 
Computing 

February  6,  20 1 3 

27 

Introduces  a  new  methodology  for  examining  how  socio¬ 
economic  factors  in  a  country  or  region  impact 
cybersecurity  performance.  Examines  measures  such  as 
use  of  modern  technology,  mature  processes,  user 
education,  law  enforcement  and  public  policies  related  to 
cyberspace.  This  methodology  can  build  a  model  that  will 
help  predict  the  expected  cybersecurity  performance  of 
a  given  country  or  region. 
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Administration  Strategy  for  Mitigating  the  Theft  of  White  House  February  20 1 3 

U.S.  Trade  Secrets 


The  Chinese  Defense  Economy  Takes  Off:  UC  Institute  on  Global  January  25,  2013 

Sector-by-Sector  Assessments  and  the  Role  of  Conflict  and  Cooperation 
Military  End-Users 


Defence  and  Cyber-Security,  vol.  I  -  Report,  House  of  Commons  December  18,  2012 

together  with  formal  minutes,  oral  and  written  Defence  Committee  (UK) 

evidence 

Defence  and  Cyber-Security,  vol.  2  -  Additional 
Written  Evidence 


141  From  the  report,  “First,  we  will  increase  our  diplomatic 
engagement....  Second,  we  will  support  industry-led 
efforts  to  develop  best  practices  to  protect  trade  secrets 
and  encourage  companies  to  share  with  each  other  best 
practices  that  can  mitigate  the  risk  of  trade  secret  theft.... 
Third,  DOJ  will  continue  to  make  the  investigation  and 
prosecution  of  trade  secret  theft  by  foreign  competitors 
and  foreign  governments  a  top  priority....  Fourth, 
President  Obama  recently  signed  two  pieces  of 
legislation  that  will  improve  enforcement  against  trade 
secret  theft....  Lastly,  we  will  increase  public  awareness  of 
the  threats  and  risks  to  the  U.S.  economy  posed  by  trade 
secret  theft.” 


87  This  collection  of  15  policy  briefs  explores  how  China 

has  made  such  impressive  military  technological  progress 
over  the  past  few  years,  what  is  in  store,  and  what  are 
the  international  security  implications.  The  briefs  are 
summaries  of  a  series  of  longer  research  papers 
presented  at  the  third  annual  Chinese  defense  economy 
conference  held  by  the  Study  of  Innovation  and 
T echnology  in  China  in  July  20 1 2. 


99 

(vol. 

1) 

37 

(vol. 

2) 


Given  the  inevitable  inadequacy  of  the  measures  available 
to  protect  against  a  constantly  changing  and  evolving 
threat,  and  given  the  Minister  for  the  Cabinet  Office’s 
comment,  it  is  not  enough  for  the  Armed  Forces  to  do 
their  best  to  prevent  an  effective  attack.  In  its  response 
to  this  report  the  Government  should  set  out  details  of 
the  contingency  plans  it  has  in  place  should  such  an 
attack  occur.  If  it  has  none,  it  should  say  so — and 
urgently  create  some. 
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The  Challenge  of  Cyber  Power  for  Central 

African  Countries:  Risks  and  Opportunities 

Naval  Postgraduate  School 

December  2012 

209 

From  the  report, “The  Central  African  militaries,  which 
are  supposed  to  be  the  first  line  of  defense  for  their 
governments'  institutions,  are  dramatically  behind  the 
times.  To  address  this  situation,  the  governments  of 

Central  Africa  need  to  adopt  a  collaborative  cyber 
strategy  based  on  common  investment  in  secure  cyber 
infrastructures.  Such  cooperation  will  help  to  create  a 
strong  cyber  environment  conducive  of  the  confidence 
and  trust  necessary  for  the  emergence  of  a  cyber 
community  of  Central  African  States  (C3AS).  For  Central 
African  militaries,  massive  training  and  recruiting  will  be 
the  first  move  to  begin  the  process  of  catching  up.” 

Cybersecurity:  Managing  Risks  for  Greater 
Opportunities 

Organization  for  Economic 
Co-operation  and 
Development 

November  29,  20 1 2 

N/A 

The  OECD  launched  a  broad  consultation  of  all 
stakeholders  from  member  and  non-member  countries 
to  review  its  Security  Guidelines.  The  review  takes  into 
account  newly  emerging  risks,  technologies  and  policy 
trends  around  such  areas  as  cloud  computing,  digital 
mobility,  the  Internet  of  things,  social  networking,  etc. 

Cybersecurity  Policy  Making  at  a  Turning  Point: 
Analysing  a  New  Generation  of  National 
Cybersecurity  Strategies  for  the  Internet 

Economy 

Organization  for  Economic 
Co-operation  and 
Development 

November  16,  2012 

i  17 

This  report  analyzes  the  latest  generation  of  national 
cybersecurity  strategies  in  ten  OECD  countries  and 
identifies  commonalities  and  differences. 

20 1 2  Report  to  Congress  of  the  U.S. -China 
Economic  and  Security  Review  Commission,  One 
Hundred  Twelfth  Congress,  Second  Session, 
November  20 1 2 

U.S. -China  Economic  and 
Security  Review 

Commission 

November  2012 

509 

This  report  responds  to  the  mandate  for  the 

Commission  “to  monitor,  investigate,  and  report  to 
Congress  on  the  national  security  implications  of  the 
bilateral  trade  and  economic  relationship  between  the 
United  States  and  the  People’s  Republic  of  China.”  See 
“China's  Cyber  Activities,"  Chapter  2,  Section  2,  pp.  147- 
169. 
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Australia:  Telecommunications  Data  Retention — 
an  Overview 

Parliamentary  Library  of 
Australia 

October  24,  2012 

32 

In  July  2012,  the  Commonwealth  Attorney-General’s 
Department  released  a  Discussion  Paper,  Equipping 
Australia  against  emerging  and  evolving  threats,  on  the 
proposed  national  security  reforms....  Of  the  18  primary 
proposals  and  the  41  individual  reforms  that  they 
comprise,  the  suggestion  that  carriage  service  providers 
(CSPs)  be  required  to  routinely  retain  certain 
information  associated  with  every  Australian’s  use  of  the 
Internet  and  phone  services  for  a  period  of  up  to  two 
years  (‘data  retention’)  is  the  issue  that  seems  to  have 
attracted  the  most  attention. 

More  Than  Meets  the  Eye:  Clandestine  Funding, 
Cutting-Edge  Technology  and  China’s  Cyber 
Research  &  Development  Program 

Lawrence  Livermore 

National  Laboratory 

October  17,  2012 

17 

Analyzes  how  the  Chinese  leadership  views  information 
technology  research  and  development  (R&D),  as  well  as 
the  role  cyber  R&D  plays  in  China’s  various  strategic 
development  plans.  Explores  the  organizational  structure 
of  China’s  cyber  R&D  base.  Concludes  with  a  projection 
of  how  China  might  field  new  cyber  capabilities  for 
intelligence  platforms,  advanced  weapons  systems,  and 
systems  designed  to  support  asymmetric  warfare 
operations. 

Investigative  Report  on  the  U.S.  National  Security 
Issues  Posed  by  Chinese  Telecommunications 
Companies  Huawei  and  ZTE 

House  Permanent  Select 
Committee  on  Intelligence 

October  8,  2012 

60 

The  committee  initiated  this  investigation  in  November 
2011  to  inquire  into  the  counterintelligence  and  security 
threat  posed  by  Chinese  telecommunications  companies 
doing  business  in  the  United  States. 

Bilateral  Discussions  on  Cooperation  in 
Cybersecurity 

China  Institute  of 
Contemporary  International 
Relations  and  the  Center  for 
Strategic  and  International 
Studies  (CSIS) 

June  2012 

N/A 

Since  2009,  CSIS  and  CICIR  have  held  six  formal 
meetings  on  cybersecurity  (accompanied  by  several 
informal  discussions),  called  “Sino-U.S.  Cybersecurity 
Dialogue.”  The  meetings  have  been  attended  by  a  broad 
range  of  U.S.  and  Chinese  officials  and  scholars 
responsible  for  cybersecurity  issues.  The  goals  of  the 
discussions  have  been  to  reduce  misperceptions  and  to 
increase  transparency  of  both  countries’  authorities  and 
understanding  on  how  each  country  approaches 
cybersecurity,  and  to  identify  areas  of  potential 
cooperation. 

CRS-41 


Title 

Source 

Date 

Pages 

Notes 

Five  Years  after  Estonia’s  Cyber  Attacks:  Lessons 
Learned  for  NATO? 

NATO 

May  2012 

8 

In  April  2007  a  series  of  cyberattacks  targeted  Estonian 
information  systems  and  telecommunication  networks. 
Lasting  22  days,  the  attacks  were  directed  at  a  range  of 
servers  (web,  e-mail,  DNS)  and  routers.  The  2007 
attacks  did  not  damage  much  of  the  Estonian  information 
technology  infrastructure.  However,  the  attacks  were  a 
true  wake-up  call  for  NATO,  offering  a  practical 
demonstration  that  cyberattacks  could  now  cripple  an 
entire  nation  dependent  on  IT  networks. 

Cyber-security:  The  Vexed  Question  of  Global 
Rules:  An  Independent  Report  on  Cyber- 
Preparedness  Around  the  World 

McAfee 

February  1,  2012 

108 

Forty-five  percent  of  legislators  and  cybersecurity 
experts  representing  27  countries  think  cybersecurity  is 
just  as  important  as  border  security.  The  authors 
surveyed  80  professionals  from  business,  academia  and 
government  to  gauge  worldwide  opinions  of 
cybersecurity. 

The  UK  Cyber  Security  Strategy:  Protecting  and 
promoting  the  UK  in  a  digital  world 

Cabinet  Office  (United 
Kingdom) 

November  20 1  1 

43 

Chapter  1  describes  the  background  to  the  growth  of 
the  networked  world  and  the  immense  social  and 
economic  benefits  it  is  unlocking.  Chapter  2  describes 
these  threats.  The  impacts  are  already  being  felt  and  will 
grow  as  our  reliance  on  cyberspace  grows.  Chapter  3 
sets  out  where  we  want  to  end  up — with  the 
government’s  vision  for  UK  cyber  security  in  2015. 

Foreign  Spies  Stealing  US  Economic  Secrets  in 
Cyberspace 

Office  of  the  National 

Counterintelligence 

Executive 

October  20 1  1 

31 

According  to  the  report,  espionage  and  theft  through 
cyberspace  are  growing  threats  to  the  United  States’ 
security  and  economic  prosperity,  and  the  world’s  most 
persistent  perpetrators  happen  to  also  be  U.S.  allies. 

International  Strategy  for  Cyberspace 

White  House/OMB 

May  16,  201  1 

30 

The  strategy  marks  the  first  time  any  administration  has 
attempted  to  set  forth  in  one  document  the  U.S. 
government’s  vision  for  cyberspace,  including  goals  for 
defense,  diplomacy,  and  international  development. 

Cyber  Dawn:  Libya 

Cyber  Security  Forum 
Initiative 

May  9,  20 1  1 

70 

Project  Cyber  Dawn:  Libya  uses  open  source  material  to 
provide  an  in-depth  view  of  Libyan  cyberwarfare 
capabilities  and  defenses. 
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Working  Towards  Rules  for  Governing  Cyber 
Conflict:  Rendering  the  Geneva  and  Hague 
Conventions  in  Cyberspace 

EastWest  Institute 

February  3,  20 1  1 

60 

[The  authors]  led  the  cyber  and  traditional  security 
experts  through  a  point-by-point  analysis  of  the  Geneva 
and  Hague  Conventions.  Ultimately,  the  group  made  five 
immediate  recommendations  for  Russian  and  U.S.-led 
joint  assessments,  each  exploring  how  to  apply  a  key 
convention  principle  to  cyberspace. 

The  Reliability  of  Global  Undersea 
Communications  Cable  Infrastructure  (The 
Rogucci  Report) 

lEEE/EastWest  Institute 

May  26,  2010 

186 

This  study  submits  12  major  recommendations  to  the 
private  sector,  governments  and  other  stakeholders — 
especially  the  financial  sector — for  the  purpose  of 
improving  the  reliability,  robustness,  resilience,  and 
security  of  the  world’s  undersea  communications  cable 
infrastructure. 

German  Anti-Botnet  Initiative 

Organisation  for  Economic 
Co-operation  and 
Development  (OECD) 

December  8,  2009 

4 

This  is  a  private  industry  initiative  which  aims  to  ensure 
that  customers  whose  personal  computers  have  become 
part  of  a  botnet  without  them  being  aware  of  it  are 
informed  by  their  Internet  Service  Providers  about  this 
situation  and  at  the  same  time  are  given  competent 
support  in  removing  the  malware. 

Note:  Highlights  compiled  by  CRS  from  the  reports. 
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Table  8.  Education/Training/Workforce 


Title 

Source 

Date 

Pages 

Notes 

NCCoE  National  Cybersecurity  Excellence 
Partnerships 

NIST  National 

Cybersecurity  Center  of 
Excellence 

Ongoing 

N/A 

Established  in  2012  through  a  partnership  between  NIST, 
the  state  of  Maryland,  and  Montgomery  County,  the 
NCCoE  is  dedicated  to  furthering  innovation  through  the 
rapid  identification,  integration,  and  adoption  of  practical 
cybersecurity  solutions.  The  NCCoE  is  part  of  the  NIST 
Information  Technology  Laboratory  and  operates  in  close 
collaboration  with  the  Computer  Security  Division. 

National  Initiative  for  Cybersecurity  Careers  and 
Studies  (NICCS) 

Department  of  Homeland 
Security 

Ongoing 

N/A 

NICCS  is  an  online  resource  for  cybersecurity  career, 
education,  and  training  information.  It  is  a  partnership 
between  DHS,  the  National  Institute  of  Standards  and 
Technology,  the  Office  of  the  Director  of  National 
Intelligence,  the  Department  of  Defense,  the  Department 
of  Education,  the  National  Science  Foundation,  and  the 
Office  of  Personnel  Management. 

Experimental  Research  Testbed  (DETER) 

Department  of  Homeland 
Security 

Ongoing 

N/A 

The  DETER  testbed  is  used  to  test  and  evaluate 
cybersecurity  technologies  by  over  200  organizations 
from  more  than  20  states  and  17  countries,  including 
DHS-funded  researchers,  the  larger  cybersecurity 
research  community,  government,  industry,  academia, 
and  educational  users. 

Michigan  Cyber  Range 

Partnership  between  the 
state  of  Michigan,  Merit 
Network,  federal  and  local 
governments,  colleges  and 
universities,  and  the  private 
sector 

Ongoing 

N/A 

Enables  individuals  and  organizations  to  develop 
detection  and  reaction  skills  through  simulations  and 
exercises. 

Information  Assurance  Scholarship  Program 

Department  of  Defense 

Ongoing 

N/A 

The  Information  Assurance  Scholarship  Program  is 

designed  to  increase  the  number  of  qualified  personnel 
entering  the  information  assurance  and  information 
technology  fields  within  the  department.  The  scholarships 
also  are  an  attempt  to  effectively  retain  military  and 
civilian  cybersecurity  and  IT  personnel. 
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National  Centers  of  Academic  Excellence  (CAE) 
in  Cyber  Operations  Program 


DHS  Is  Generally  Filling  Mission-Critical  Positions, 
but  Could  Better  Track  Costs  of  Coordinated 
Recruiting  Efforts 


Professionalizing  the  Nation’s  Cybersecurity 
Workforce?:  Criteria  for  Decision-Making 


Joint  Professional  Military  Education  Institutions  in 
an  Age  of  Cyber  Threat 


National  Security  Agency 
(NS  A) 


GAO 


National  Academies  Press 


Francesca  Spidalieri  (Pell 
Center  Fellow) 
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Pages 


Notes 


Ongoing 


September  17,  2013 


September  1 6,  20 1 3 


August  7,  20123 


N/A  The  NSA  has  launched  National  Centers  of  Academic 
Excellence  (CAE)  in  Cyber  Operations  Program;  the 
program  is  intended  to  be  a  deeply  technical,  inter¬ 
disciplinary,  higher  education  program  grounded  in  the 
computer  science  (CS),  computer  engineering  (CE),  or 
electrical  engineering  (EE)  disciplines,  with  extensive 
opportunities  for  hands-on  applications  via  labs  and 
exercises. 

47  More  than  one  in  five  jobs  at  a  key  cybersecurity 

component  within  the  Homeland  Security  Department 
are  vacant,  in  large  part  due  to  steep  competition  in 
recruiting  and  hiring  qualified  personnel.  National 
Protection  and  Programs  Directorate  (NPPD)  officials 
cited  challenges  in  recruiting  cyber  professionals  because 
of  the  length  of  time  taken  to  conduct  security  checks  to 
grant  top-secret  security  clearances  as  well  as  low  pay  in 
comparison  with  the  private  sector. 

66  This  report  examines  workforce  requirements  for 
cybersecurity  and  the  segments  and  job  functions  in 
which  professionalization  is  most  needed;  the  role  of 
assessment  tools,  certification,  licensing,  and  other  means 
for  assessing  and  enhancing  professionalization;  and 
emerging  approaches,  such  as  performance-based 
measures.  It  also  examines  requirements  for  the  federal 
(military  and  civilian)  workforce,  the  private  sector,  and 
state  and  local  government. 

1 8  The  report  found  that  the  Joint  Professional  Military 
Education  at  the  six  U.S.  military  graduate  schools — a 
requirement  for  becoming  a  Joint  Staff  Officer  and  for 
promotion  to  the  senior  ranks — has  not  effectively 
incorporated  cybersecurity  into  specific  courses, 
conferences,  war  gaming  exercises,  or  other  forms  of 
training  for  military  officers.  While  these  graduate 
programs  are  more  advanced  on  cybersecurity  than  most 
American  civilian  universities,  a  preparation  gap  still 
exists. 


Title 


Source 


Special  Cybersecurity  Workforce  Project  (Memo  Office  of  Personnel 
for  Heads  of  Executive  Departments  and  Management  (OPM) 

Agencies) 


U.SA.  Cyber  Warrior  Scholarship  Program  (ISC)2  Foundation  and  Booz 

Allen  Hamilton 


Global  Information  Security  Workforce  Study  (ISC)2  and  Frost  &  Sullivan 


Proposed  Establishment  of  a  Federally  Funded 
Research  and  Development  Center-First  Notice 


DHS  Secretary’s  Honors  Program:  Cyber  Student  Department  of  Homeland 
Initiative  Security 
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Pages 


Notes 


July  8,  2013 


June  21,  2013 


May  7,2013 


April  22,  2013 


April  18,  2013 


N/A  The  OPM  is  collaborating  with  the  White  House  Office 
of  Science  and  Technology  Policy,  the  Chief  Human 
Capital  Officers  Council  (CHCOC),  and  the  Chief 
Information  Officers  Council  (CIOC)  in  implementing  a 
special  workforce  project  that  tasks  federal  agencies' 
cybersecurity,  information  technology,  and  human 
resources  communities  to  build  a  statistical  data  set  of 
existing  and  future  cybersecurity  positions  in  the  OPM 
Enterprise  Human  Resources  Integration  (EHRI)  data 
warehouse  by  the  end  of  FY20I4. 

The  (ISC)2  Foundation  and  Booz  Allen  Hamilton 
announced  the  launch  of  the  U.S.A.  Cyber  Warrior 
Scholarship  program,  which  will  provide  scholarships  to 
veterans  to  obtain  specialized  certifications  in  the 
cybersecurity  field.  The  scholarships  will  cover  all  of  the 
expenses  associated  with  a  certification,  such  as  training, 
textbooks,  mobile  study  materials,  certification  testing, 
and  the  first  year  of  certification  maintenance  fees. 

28  Federal  cyber  workers  earn  an  average  salary  of 

$  1 06,430,  less  than  the  average  private-sector  salary  of 
$1  I  1,376.  The  lag  in  federal  salaries  is  likely  due  to 
federal  budget  restraints  and  nearly  three  years  of  a 
continuing  resolution. 

2  To  help  the  National  Cybersecurity  Center  of  Excellence 
(NCCoE)  address  industry’s  needs  most  efficiently,  NIST 
will  sponsor  its  first  Federally  Funded  Research  and 
Development  Center  (FFRDC)  to  facilitate  public-private 
collaboration  for  accelerating  the  widespread  adoption  of 
integrated  cybersecurity  tools  and  technologies. 

2  The  Cyber  Student  Initiative  program  will  begin  at 
Immigration  and  Customs  Enforcement  computer 
forensic  labs  in  36  cities  nationwide,  where  students  will 
be  trained  and  gain  hands-on  experience  within  the 
department’s  cybersecurity  community.  The  unpaid 
volunteer  program  is  only  available  to  community  college 
students  and  veterans  pursuing  a  degree  in  the 
cybersecurity  field. 
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2012  Information  Technology  Workforce 
Assessment  for  Cybersecurity 

U.S.  Department  of 

Homeland  Security 

March  14,  2013 

131 

The  report,  which  is  based  on  an  anonymous  survey  of 
nearly  23,000  cyber  workers  across  52  departments  and 
agencies,  found  that  while  the  majority  (49%)  of  cyber 
feds  has  more  than  10  years  of  service  until  they  reach 
retirement  eligibility,  nearly  33%  will  be  eligible  to  retire 
in  the  next  three  years. 

CyberSkills  Task  Force  Report 

U.S.  Department  of 

Homeland  Security 

October  20 1 2 

41 

DHS’s  Task  Force  on  CyberSkills  proposes  far-reaching 
improvements  to  enable  DHS  to  recruit  and  retain  the 
cybersecurity  talent  it  needs. 

Cyber  Security  Test  Bed:  Summary  and  Evaluation 
Results 

Institute  for  Homeland 
Security  Solutions 

October  20 1 2 

89 

The  Cyber  Test  Bed  project  was  a  case  study  analysis  of 
how  a  set  of  interventions,  including  threat  analysis,  best 
practices  sharing,  and  executive  and  staff  training  events, 
over  the  course  of  one  year,  would  impact  a  group  of 
nine  small  and  mid-size  businesses  in  North  Carolina. 

Pre-  and  post-Test  Bed  interviews  were  conducted  with 
company  officials  to  establish  a  baseline  and  evaluate  the 
impact  of  the  Test  Bed  experience.  After  the  Cyber  Test 
Bed  experience,  decision  makers  at  these  companies 
indicated  an  increase  in  their  perceptions  of  the  risk  of 
cyberattacks  and  an  increase  in  their  knowledge  of 
possible  solution. 

Preparing  the  Pipeline:  The  U.S.  Cyber 

Workforce  for  the  Future 

National  Defense  University 

August  2012 

17 

This  paper  addresses  methods  to  close  the  gaps  between 
demand  and  the  current  existing  capabilities  and  capacity 
in  the  U.S.  cyber  workforce.  A  large  number  of 
professionals  with  not  only  technical  skills,  but  also  an 
understanding  of  cyber  policy,  law,  and  other  disciplines 
will  be  needed  to  ensure  the  continued  success  of  the 

U.S.  economy,  government,  and  society  in  the  21st- 
century  information  age.  Innovative  methods  have  been 
developed  by  the  government,  think  tanks,  and  private 
sector  for  closing  these  gaps,  but  more  needs  to  be  done. 

Smart  Grid  Cybersecurity:  Job  Performance 

Model  Report 

Pacific  Northwest  National 
Laboratory 

August  20 1 2 

178 

This  report  outlines  the  work  done  to  develop  a  smart 
grid  cybersecurity  certification.  The  primary  purpose  is  to 
develop  a  measurement  model  that  may  be  used  to  guide 
curriculum,  assessments,  and  other  development  of 
technical  and  operational  smart  grid  cybersecurity 
knowledge,  skills,  and  abilities. 
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Cybersecurity  Human  Capital:  Initiatives  Need  Government  Accountability 
Better  Planning  and  Coordination  Office  (GAO) 


NICE  Cybersecurity  Workforce  Framework  National  Initiative  for 

Cybersecurity  Education 
(NICE) 


The  State  of  K-12  Cyberethics,  Cybersafety  and  National  Cyber  Security 
Cybersecurity  Curriculum  in  the  United  States  Alliance  and  Microsoft 


November  29,  201  I  86  To  ensure  that  government-wide  cybersecurity 

workforce  initiatives  are  better  coordinated  and  planned, 
and  to  better  assist  federal  agencies  in  defining  roles, 
responsibilities,  skills,  and  competencies  for  their 
workforce,  the  Secretary  of  Commerce,  Director  of  the 
Office  of  Management  and  Budget,  Director  of  the  Office 
of  Personnel  Management,  and  Secretary  of  Homeland 
Security  should  collaborate  through  the  National 
Initiative  for  Cybersecurity  Education  (NICE)  linitiative  to 
develop  and  finalize  detailed  plans  allowing  agency 
accountability,  measurement  of  progress,  and 
determination  of  resources  to  accomplish  agreed-upon 
activities. 

November  21, 201  I  35  The  adoption  of  cloud  computing  into  the  federal 

government  and  its  implementation  depend  upon  a 
variety  of  technical  and  non-technical  factors.  A 
fundamental  reference  point,  based  on  the  NIST 
definition  of  cloud  computing,  is  needed  to  describe  an 
overall  framework  that  can  be  used  government-wide. 
This  document  presents  the  NIST  Cloud  Computing 
Reference  Architecture  (RA)  and  Taxonomy  (Tax)  that 
will  accurately  communicate  the  components  and 
offerings  of  cloud  computing. 

May  20 1  I  16  This  year’s  survey  further  explores  the  perceptions  and 

practices  of  U.S.  teachers,  school  administrators  and 
technology  coordinators  in  regards  to  cyberethics, 
cybersafety,  and  cybersecurity  education.  The  survey 
finds  that  young  people  still  are  not  receiving  adequate 
training  and  that  teachers  are  ill-prepared  to  teach  the 
subjects  due,  in  large  part,  to  lack  of  professional 
development. 
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Cyber  Operations  Personnel  Report  Department  of  Defense  April  201  I  84  This  report  is  focused  on  FY09  Department  of  Defense 

Cyber  Operations  personnel,  with  duties  and 
responsibilities  as  defined  in  Section  934  of  the  Fiscal 
Year  (FY)  2010  National  Defense  Authorization  Act 
(NDAA). 

Appendix  A — Cyber  Operations-related  Military 
Occupations 

Appendix  B — Commercial  Certifications  Supporting  the 
DoD  Information  Assurance  Workforce  Improvement 
Program 

Appendix  C — Military  Services  Training  and 
Development 

Appendix  D — Geographic  Location  of  National  Centers 
of  Academic  Excellence  in  Information  Assurance 

The  Power  of  People:  Building  an  Integrated  Project  on  National  Security  November  20 10  326  This  study  was  conducted  in  fulfillment  of  Section  1054  of 

National  Security  Professional  System  for  the  21st  Reform  (PNSR)  the  National  Defense  Authorization  Act  for  Fiscal  Year  20/0, 

Century  which  required  the  commissioning  of  a  study  by  “an 

appropriate  independent,  nonprofit  organization,  of  a 
system  for  career  development  and  management  of 
interagency  national  security  professionals.” 

Note:  Highlights  compiled  by  CRS  from  the  reports. 
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Cybersecurity:  Authoritative  Reports  and  Resources,  by  Topic 


Selected  Reports,  by  Federal  Agency 

This  section  contains  selected  cybersecurity  reports  from  U.S.  government  agencies,  including  the  White 
House,  the  Office  of  Management  and  Budget  (OMB),  the  Government  Accountability  Office  (GAO),  the 
Department  of  Defense  (DOD),  the  National  Institute  of  Standards  and  Technology  (NIST),  and  others. 


Congressional  Research  Service 


50 


Table  9.  Government  Accountability  Office  (GAO) 


Title 


Date  Pages 


Notes 


Critical  Infrastructure  Protection:  More  Comprehensive  January  27,  2013 
Planning  Would  Enhance  the  Cybersecurity  of  Public  Safety 
Entities'  Emerging  Technology 


Agency  Responses  to  Breaches  of  Personally  Identifiable  December  9,  20 1 3 
Information  Need  to  Be  More  Consistent 


GPS  Disruptions:  Efforts  to  Assess  Risks  to  Critical  November  6,  2013 

Infrastructure  and  Coordinate  Agency  Actions  Should  Be 

Enhanced 


DHS  Is  Generally  Filling  Mission-Critical  Positions,  but  September  17,  2013 

Could  Better  Track  Costs  of  Coordinated  Recruiting 

Efforts 


41  GAO  was  asked  to  review  federal  coordination  with  state  and  local 

governments  regarding  cybersecurity  at  public  safety  entities.  The  objective 
was  to  determine  the  extent  to  which  federal  agencies  coordinated  with  state 
and  local  governments  regarding  cybersecurity  efforts  at  emergency 
operations  centers,  public  safety  answering  points,  and  first  responder 
organizations  involved  in  handling  91  I  emergency  calls.  To  do  so,  GAO 
analyzed  relevant  plans  and  reports  and  interviewed  officials  at  (I)  five 
agencies  that  were  identified  based  on  their  roles  and  responsibilities 
established  in  federal  law,  policy,  and  plans  and  (2)  selected  industry 
associations  and  state  and  local  governments. 

67  GAO  recommends,  “Recommendation:  To  improve  the  consistency  and 
effectiveness  of  governmentwide  data  breach  response  programs,  the 
Director  of  OMB  should  update  its  guidance  on  federal  agencies'  responses  to 
a  Pll-related  data  breach  to  include  (I)  guidance  on  notifying  affected 
individuals  based  on  a  determination  of  the  level  of  risk;  (2)  criteria  for 
determining  whether  to  offer  assistance,  such  as  credit  monitoring  to  affected 
individuals;  and  (3)  revised  reporting  requirements  for  Pll-related  breaches  to 
US-CERT,  including  time  frames  that  better  reflect  the  needs  of  individual 
agencies  and  the  government  as  a  whole  and  consolidated  reporting  of 
incidents  that  pose  limited  risk.” 

58  GAO  was  asked  to  review  the  effects  of  GPS  disruptions  on  the  nation’s 
critical  infrastructure.  GAO  examined  (I)  the  extent  to  which  DHS  has 
assessed  the  risks  and  potential  effects  of  GPS  disruptions  on  critical 
infrastructure,  (2)  the  extent  to  which  DOT  [Department  of  Transportation] 
and  DHS  have  developed  backup  strategies  to  mitigate  GPS  disruptions,  and 
(3)  what  strategies,  if  any,  selected  critical  infrastructure  sectors  employ  to 
mitigate  GPS  disruptions  and  any  remaining  challenges. 

47  One  in  five  jobs  at  a  key  cybersecurity  component  within  DHS  is  vacant,  in 

large  part  due  to  steep  competition  in  recruiting  and  hiring  qualified  personnel. 
National  Protection  and  Programs  Directorate  (NPPD)  officials  cited 
challenges  in  recruiting  cyber  professionals  because  of  the  length  of  time  taken 
to  conduct  security  checks  to  grant  top-secret  security  clearances  as  well  as 
low  pay  in  comparison  with  the  private  sector. 
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Telecommunications  Networks:  Addressing  Potential 
Security  Risks  of  Foreign-Manufactured  Equipment 

May  21, 2013 

52 

The  federal  government  has  begun  efforts  to  address  the  security  of  the 
supply  chain  for  commercial  networks...  There  are  a  variety  of  other 
approaches  for  addressing  the  potential  risks  posed  by  foreign-manufactured 
equipment  in  commercial  communications  networks,  including  those 
approaches  taken  by  foreign  governments...  Although  these  approaches  are 
intended  to  improve  supply  chain  security  of  communications  networks,  they 
may  also  create  the  potential  for  trade  barriers,  additional  costs,  and 
constraints  on  competition,  which  the  federal  government  would  have  to  take 
into  account  if  it  chose  to  pursue  such  approaches. 

Outcome-Based  Measures  Would  Assist  DHS  in  Assessing 
Effectiveness  of  Cybersecurity  Efforts 

April  1  1,  2013 

45 

Until  the  Department  of  Homeland  Security  and  its  sector  partners  develop 
appropriate  outcome-oriented  metrics,  it  will  be  difficult  to  gauge  the 
effectiveness  of  efforts  to  protect  the  nation’s  core  and  access 
communications  networks  and  critical  support  components  of  the  Internet 
from  cyber  incidents.  While  no  cyber  incidents  have  been  reported  affecting 
the  nation’s  core  and  access  networks,  communications  networks  operators 
can  use  reporting  mechanisms  established  by  FCC  and  DHS  to  share 
information  on  outages  and  incidents. 

Information  Sharing:  Agencies  Could  Better  Coordinate  to 
Reduce  Overlap  in  Field-Based  Activities 

April  4,2013 

72 

Agencies  have  neither  held  entities  accountable  for  coordinating  nor  assessed 
opportunities  for  further  enhancing  coordination  to  help  reduce  the  potential 
for  overlap  and  achieve  efficiencies.  The  Departments  of  Justice  (DOJ)  and 

DHS,  and  the  Office  of  National  Drug  Control  Policy  (ONDCP) — the  federal 
agencies  that  oversee  or  provide  support  to  the  five  types  of  field-based 
entities — acknowledged  that  entities  working  together  and  sharing  information 
is  important,  but  they  do  not  hold  the  entities  accountable  for  such 
coordination. 

Cybersecurity:  A  Better  Defined  and  Implemented 

National  Strategy  Is  Needed  to  Address  Persistent 
Challenges 

March  7,  2013 

36 

“[AJIthough  federal  law  assigns  the  Office  of  Management  and  Budget  (OMB) 
responsibility  for  oversight  of  federal  government  information  security,  OMB 
recently  transferred  several  of  these  responsibilities  to  DHS....  [I]t  remains 
unclear  how  OMB  and  DHS  are  to  share  oversight  of  individual  departments 
and  agencies.  Additional  legislation  could  clarify  these  responsibilities.” 

2013  High  Risk  List 

February  14,  2013 

275 

Every  two  years  at  the  start  of  a  new  Congress,  GAO  calls  attention  to 
agencies  and  program  areas  that  are  high  risk  due  to  their  vulnerabilities  to 
fraud,  waste,  abuse,  and  mismanagement,  or  are  most  in  need  of 
transformation.  Cybersecurity  programs  on  the  list  include:  Protecting  the 

Federal  Government’s  Information  Systems  and  the  Nation's  Cyber  Critical 
Infrastructures  and  Ensuring  the  Effective  Protection  of  Technologies  Critical  to  U.S. 
National  Security  Interests. 
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Cybersecurity:  National  Strategy,  Roles,  and 

Responsibilities  Need  to  Be  Better  Defined  and  More 
Effectively  Implemented 

February  14,  201  3 

1  12 

GAO  recommends  that  the  White  House  Cybersecurity  Coordinator  develop 
an  overarching  federal  cybersecurity  strategy  that  includes  all  key  elements  of 
the  desirable  characteristics  of  a  national  strategy.  Such  a  strategy  would 
provide  a  more  effective  framework  for  implementing  cybersecurity  activities 
and  better  ensure  that  such  activities  will  lead  to  progress  in  cybersecurity. 

Information  Security:  Federal  Communications 

Commission  Needs  to  Strengthen  Controls  over  Enhanced 
Secured  Network  Project 

January  25,  20 1 3 

35 

“The  FCC  did  not  effectively  implement  appropriate  information  security 
controls  in  the  initial  components  of  the  Enhanced  Secured  Network  (ESN) 
project....  Weaknesses  identified  in  the  commission’s  deployment  of 
components  of  the  ESN  project  as  of  August  2012  resulted  in  unnecessary  risk 
that  sensitive  information  could  be  disclosed,  modified,  or  obtained  without 
authorization.  GAO  is  making  seven  recommendations  to  the  FCC  to 
implement  management  controls  to  help  ensure  that  ESN  meets  its  objective 
of  securing  FCC's  systems  and  information.” 

Cybersecurity:  Challenges  in  Securing  the  Electricity  Grid 

July  17,  2012 

25 

In  a  prior  report,  GAO  has  made  recommendations  related  to  electricity  grid 
modernization  efforts,  including  developing  an  approach  to  monitor 
compliance  with  voluntary  standards.  These  recommendations  have  not  yet 
been  implemented. 

Information  Technology  Reform:  Progress  Made  but 

Future  Cloud  Computing  Efforts  Should  be  Better  Planned 

July  1  1, 2012 

43 

To  help  ensure  the  success  of  agencies’  implementation  of  cloud-based 
solutions,  the  Secretaries  of  Agriculture,  Health  and  Human  Services, 

Homeland  Security,  State,  and  the  Treasury,  and  the  Administrators  of  the 
General  Services  Administration  and  Small  Business  Administration  should 
direct  their  respective  chief  information  officer  (CIO)  to  establish  estimated 
costs,  performance  goals,  and  plans  to  retire  associated  legacy  systems  for 
each  cloud-based  service  discussed  in  this  report,  as  applicable. 

Electronic  Warfare:  DOD  Actions  Needed  to  Strengthen 
Management  and  Oversight 

July  9,2012 

46 

DOD’s  oversight  of  electronic  warfare  capabilities  may  be  further  complicated 
by  its  evolving  relationship  with  computer  network  operations,  which  is  also 
an  information  operations-related  capability.  Without  clearly  defined  roles  and 
responsibilities  and  updated  guidance  regarding  oversight  responsibilities, 

DOD  does  not  have  reasonable  assurance  that  its  management  structures  will 
provide  effective  department-wide  leadership  for  electronic  warfare  activities 
and  capabilities  development  and  ensure  effective  and  efficient  use  of  its 
resources. 

Information  Security:  Cyber  Threats  Facilitate  Ability  to 
Commit  Economic  Espionage 

June  28,  2012 

20 

This  statement  discusses  (1)  cyber  threats  facing  the  nation’s  systems,  (2) 
reported  cyber  incidents  and  their  impacts,  (3)  security  controls  and  other 
techniques  available  for  reducing  risk,  and  (4)  the  responsibilities  of  key  federal 
entities  in  support  of  protecting  IP. 
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Cybersecurity:  Challenges  to  Securing  the  Modernized 
Electricity  Grid 

February  28,  20 1 2 

19 

As  GAO  reported  in  January  2011,  securing  smart  grid  systems  and  networks 
presented  a  number  of  key  challenges  that  required  attention  by  government 
and  industry.  GAO  made  several  recommendations  to  the  Federal  Energy 
Regulatory  Commission  (FERC)  aimed  at  addressing  these  challenges.  The 
commission  agreed  with  these  recommendations  and  described  steps  it  is 
taking  to  implement  them. 

Critical  Infrastructure  Protection:  Cybersecurity  Guidance 

Is  Available,  but  More  Can  Be  Done  to  Promote  Its  Use 

December  9,  20 1  1 

77 

Given  the  plethora  of  guidance  available,  individual  entities  within  the  sectors 
may  be  challenged  in  identifying  the  guidance  that  is  most  applicable  and 
effective  in  improving  their  security  posture.  Improved  knowledge  of  the 
guidance  that  is  available  could  help  both  federal  and  private  sector  decision 
makers  better  coordinate  their  efforts  to  protect  critical  cyber-reliant  assets. 

Cybersecurity  Human  Capital:  Initiatives  Need  Better 
Planning  and  Coordination 

November  29,  20 1  1 

86 

All  the  agencies  GAO  reviewed  faced  challenges  determining  the  size  of  their 
cybersecurity  workforce  because  of  variations  in  how  work  is  defined  and  the 
lack  of  an  occupational  series  specific  to  cybersecurity.  With  respect  to  other 
workforce  planning  practices,  all  agencies  had  defined  roles  and  responsibilities 
for  their  cybersecurity  workforce,  but  these  roles  did  not  always  align  with 
guidelines  issued  by  the  federal  Chief  Information  Officers  Council  (CIOC) 
and  National  Institute  of  Standards  and  Technology  (NIST). 

Federal  Chief  Information  Officers:  Opportunities  Exist  to 
Improve  Role  in  Information  Technology  Management 

October  17,  201  1 

72 

GAO  is  recommending  that  OMB  update  its  guidance  to  establish  measures  of 
accountability  for  ensuring  that  CIOs’  responsibilities  are  fully  implemented 
and  require  agencies  to  establish  internal  processes  for  documenting  lessons 
learned. 

Information  Security:  Additional  Guidance  Needed  to 
Address  Cloud  Computing  Concerns 

October  5,  201  1 

17 

Twenty-two  of  24  major  federal  agencies  reported  that  they  were  either 
concerned  or  very  concerned  about  the  potential  information  security  risks 
associated  with  cloud  computing.  GAO  recommended  that  the  NIST  issue 
guidance  specific  to  cloud  computing  security. 

Information  Security:  Weaknesses  Continue  Amid  New 
Federal  Efforts  to  Implement  Requirements 

October  3,  2011 

49 

Weaknesses  in  information  security  policies  and  practices  at  24  major  federal 
agencies  continue  to  place  the  confidentiality,  integrity,  and  availability  of 
sensitive  information  and  information  systems  at  risk.  Consistent  with  this 
risk,  reports  of  security  incidents  from  federal  agencies  are  on  the  rise, 
increasing  over  650%  over  the  past  5  years.  Each  of  the  24  agencies  reviewed 
had  weaknesses  in  information  security  controls. 

Federal  Chief  Information  Officers:  Opportunities  Exist  to 
Improve  Role  in  Information  Technology  Management 

October  17,  201  1 

72 

GAO  is  recommending  that  the  Office  of  Management  and  Budget  (OMB) 
update  its  guidance  to  establish  measures  of  accountability  for  ensuring  that 
CIOs’  responsibilities  are  fully  implemented  and  require  agencies  to  establish 
internal  processes  for  documenting  lessons  learned. 
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Defense  Department  Cyber  Efforts:  Definitions,  Focal 

Point,  and  Methodology  Needed  for  DOD  to  Develop 
Full-Spectrum  Cyberspace  Budget  Estimates 

July  29,  201  1 

33 

This  letter  discusses  the  Department  of  Defense’s  cyber  and  information 
assurance  budget  for  FY20I2  and  future  years  defense  spending.  The 
objectives  of  this  review  were  to  (1)  assess  the  extent  to  which  DOD  has 
prepared  an  overarching  budget  estimate  for  full-spectrum  cyberspace 
operations  across  the  department  and  (2)  identify  the  challenges  DOD  has 
faced  in  providing  such  estimates. 

Continued  Attention  Needed  to  Protect  Our  Nation’s 
Critical  Infrastructure 

July  26,  201  1 

20 

A  number  of  significant  challenges  remain  to  enhancing  the  security  of  cyber- 
reliant  critical  infrastructures,  such  as  (1)  implementing  actions  recommended 
by  the  President's  cybersecurity  policy  review;  (2)  updating  the  national 
strategy  for  securing  the  information  and  communications  infrastructure; 

(3)  reassessing  DHS's  planning  approach  to  critical  infrastructure  protection; 

(4)  strengthening  public-private  partnerships,  particularly  for  information 
sharing;  (5)  enhancing  the  national  capability  for  cyber  warning  and  analysis; 

(6)  addressing  global  aspects  of  cybersecurity  and  governance;  and  (7)  securing 
the  modernized  electricity  grid. 

Defense  Department  Cyber  Efforts:  DOD  Faces 

Challenges  in  Its  Cyber  Activities 

July  25,  201  1 

79 

GAO  recommends  that  DOD  evaluate  how  it  is  organized  to  address 
cybersecurity  threats;  assess  the  extent  to  which  it  has  developed  joint 
doctrine  that  addresses  cyberspace  operations;  examine  how  it  assigned 
command  and  control  responsibilities;  and  determine  how  it  identifies  and  acts 
to  mitigate  key  capability  gaps  involving  cyberspace  operations. 

Information  Security:  State  Has  Taken  Steps  to  Implement 
a  Continuous  Monitoring  Application,  but  Key  Challenges 
Remain 

July  8,  201  1 

63 

The  Department  of  State  implemented  a  custom  application  called  iPost  and  a 
risk  scoring  program  that  is  intended  to  provide  continuous  monitoring 
capabilities  of  information  security  risk  to  elements  of  its  information 
technology  (IT)  infrastructure.  To  improve  implementation  of  iPost  at  State, 
the  Secretary  of  State  should  direct  the  Chief  Information  Officer  to  develop, 
document,  and  maintain  an  iPost  configuration  management  and  test  process. 

Cybersecurity:  Continued  Attention  Needed  to  Protect 

Our  Nation’s  Critical  Infrastructure  and  Federal 

Information  Systems 

March  16,  201  1 

16 

Executive  branch  agencies  have  made  progress  instituting  several  government¬ 
wide  initiatives  aimed  at  bolstering  aspects  of  federal  cybersecurity,  such  as 
reducing  the  number  of  federal  access  points  to  the  Internet,  establishing 
security  configurations  for  desktop  computers,  and  enhancing  situational 
awareness  of  cyber  events.  Despite  these  efforts,  the  federal  government 
continues  to  face  significant  challenges  in  protecting  the  nation's  cyber-reliant 
critical  infrastructure  and  federal  information  systems. 
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Electricity  Grid  Modernization:  Progress  Being  Made  on 
Cybersecurity  Guidelines,  but  Key  Challenges  Remain  to 
be  Addressed 

January  1 2,  20 1  1 

50 

GAO  identified  six  key  challenges:  (1)  Aspects  of  the  regulatory  environment 
may  make  it  difficult  to  ensure  smart  grid  systems’  cybersecurity.  (2)  Utilities 
are  focusing  on  regulatory  compliance  instead  of  comprehensive  security.  (3) 

The  electric  industry  does  not  have  an  effective  mechanism  for  sharing 
information  on  cybersecurity.  (4)  Consumers  are  not  adequately  informed 
about  the  benefits,  costs,  and  risks  associated  with  smart  grid  systems.  (5) 

There  is  a  lack  of  security  features  being  built  into  certain  smart  grid  systems. 

(6)  The  electricity  industry  does  not  have  metrics  for  evaluating  cybersecurity. 

Information  Security:  Federal  Agencies  Have  Taken  Steps 
to  Secure  Wireless  Networks,  but  Further  Actions  Can 
Mitigate  Risk 

November  30,  20 1 0 

50 

Existing  government-wide  guidelines  and  oversight  efforts  do  not  fully  address 
agency  implementation  of  leading  wireless  security  practices.  Until  agencies 
take  steps  to  better  implement  these  leading  practices,  and  OMB  takes  steps 
to  improve  government-wide  oversight,  wireless  networks  will  remain  at  an 
increased  vulnerability  to  attack. 

Cyberspace  Policy:  Executive  Branch  Is  Making  Progress 
Implementing  2009  Policy  Review  Recommendations,  but 
Sustained  Leadership  Is  Needed 

October  6,  2010 

66 

Of  the  24  recommendations  in  the  President’s  May  2009  cyber  policy  review 
report,  2  have  been  fully  implemented,  and  22  have  been  partially 
implemented.  While  these  efforts  appear  to  be  steps  forward,  agencies  were 
largely  not  able  to  provide  milestones  and  plans  that  showed  when  and  how 
implementation  of  the  recommendations  was  to  occur. 

DHS  Efforts  to  Assess  and  Promote  Resiliency  Are 

Evolving  but  Program  Management  Could  Be  Strengthened 

September  23,  2010 

46 

The  Department  of  Homeland  Security  (DHS)  has  not  developed  an  effective 
way  to  ensure  that  critical  national  infrastructure,  such  as  electrical  grids  and 
telecommunications  networks,  can  bounce  back  from  a  disaster.  DHS  has 
conducted  surveys  and  vulnerability  assessments  of  critical  infrastructure  to 
identify  gaps,  but  has  not  developed  a  way  to  measure  whether  owners  and 
operators  of  that  infrastructure  adopt  measures  to  reduce  risks. 

Information  Security:  Progress  Made  on  Harmonizing 

Policies  and  Guidance  for  National  Security  and  Non- 
National  Security  Systems 

September  15,  2010 

38 

OMB  and  NIST  established  policies  and  guidance  for  civilian  non-national 
security  systems,  while  other  organizations,  including  the  Committee  on 

National  Security  Systems  (CNSS),  DOD,  and  the  U.S.  intelligence  community, 
have  developed  policies  and  guidance  for  national  security  systems.  GAO  was 
asked  to  assess  the  progress  of  federal  efforts  to  harmonize  policies  and 
guidance  for  these  two  types  of  systems. 

United  States  Faces  Challenges  in  Addressing  Global 
Cybersecurity  and  Governance 

August  2,  20 1 0 

53 

GAO  recommends  that  the  Special  Assistant  to  the  President  and 

Cybersecurity  Coordinator  should  make  recommendations  to  appropriate 
agencies  and  interagency  coordination  committees  regarding  any  necessary 
changes  to  more  effectively  coordinate  and  forge  a  coherent  national 
approach  to  cyberspace  policy. 
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Critical  Infrastructure  Protection:  Key  Private  and  Public 
Cyber  Expectations  Need  to  Be  Consistently  Addressed 

July  15,  2010 

38 

The  Special  Assistant  to  the  President  and  Cybersecurity  Coordinator  and  the 
Secretary  of  Homeland  Security  should  take  two  actions:  (1)  use  the  results  of 
this  report  to  focus  their  information-sharing  efforts,  including  their  relevant 
pilot  projects,  on  the  most  desired  services,  including  providing  timely  and 
actionable  threat  and  alert  information,  access  to  sensitive  or  classified 
information,  a  secure  mechanism  for  sharing  information,  and  security 
clearance  and  (2)  bolster  the  efforts  to  build  out  the  National  Cybersecurity 
and  Communications  Integration  Center  as  the  central  focal  point  for 
leveraging  and  integrating  the  capabilities  of  the  private  sector,  civilian 
government,  law  enforcement,  the  military,  and  the  intelligence  community. 

Federal  Guidance  Needed  to  Address  Control  Issues  With 
Implementing  Cloud  Computing 

July  1,  2010 

53 

To  assist  federal  agencies  in  identifying  uses  for  cloud  computing  and 
information  security  measures  to  use  in  implementing  cloud  computing,  the 
Director  of  OMB  should  establish  milestones  for  completing  a  strategy  for 
implementing  the  federal  cloud  computing  initiative. 

Continued  Attention  Is  Needed  to  Protect  Federal 
Information  Systems  from  Evolving  Threats 

June  16,2010 

15 

Multiple  opportunities  exist  to  improve  federal  cybersecurity.  To  address 
identified  deficiencies  in  agencies’  security  controls  and  shortfalls  in  their 
information  security  programs,  GAO  and  agency  inspectors  general  have 
made  hundreds  of  recommendations  over  the  past  several  years,  many  of 
which  agencies  are  implementing.  In  addition,  the  White  House,  OMB,  and 
certain  federal  agencies  have  undertaken  several  government-wide  initiatives 
intended  to  enhance  information  security  at  federal  agencies.  While  progress 
has  been  made  on  these  initiatives,  they  all  face  challenges  that  require 
sustained  attention,  and  GAO  has  made  several  recommendations  for 
improving  the  implementation  and  effectiveness  of  these  initiatives. 

Information  Security:  Concerted  Response  Needed  to 
Resolve  Persistent  Weaknesses 

March  24,  2010 

21 

Without  proper  safeguards,  federal  computer  systems  are  vulnerable  to 
intrusions  by  individuals  who  have  malicious  intentions  and  can  obtain 
sensitive  information.  The  need  for  a  vigilant  approach  to  information  security 
has  been  demonstrated  by  the  pervasive  and  sustained  cyberattacks  against 
the  United  States;  these  attacks  continue  to  pose  a  potentially  devastating 
impact  to  systems  and  the  operations  and  critical  infrastructures  they  support. 

Cybersecurity:  Continued  Attention  Is  Needed  to  Protect 
Federal  Information  Systems  from  Evolving  Threats 

March  16,  2010 

15 

The  White  House,  the  Office  of  Management  and  Budget,  and  certain  federal 
agencies  have  undertaken  several  government-wide  initiatives  intended  to 
enhance  information  security  at  federal  agencies.  While  progress  has  been 
made  on  these  initiatives,  they  all  face  challenges  that  require  sustained 
attention,  and  GAO  has  made  several  recommendations  for  improving  the 
implementation  and  effectiveness  of  these  initiatives. 
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Concerted  Effort  Needed  to  Consolidate  and  Secure 
Internet  Connections  at  Federal  Agencies 

April  12,  2010 

40 

To  reduce  the  threat  to  federal  systems  and  operations  posed  by  cyberattacks 
on  the  United  States,  OMB  launched,  in  November  2007,  the  Trusted  Internet 
Connections  (TIC)  initiative,  and  later,  in  2008,  DHS’s  National  Cybersecurity 
Protection  System  (NCPS),  operationally  known  as  Einstein,  which  became 
mandatory  for  federal  agencies  as  part  of  TIC.  To  further  ensure  that  federal 
agencies  have  adequate,  sufficient,  and  timely  information  to  successfully  meet 
the  goals  and  objectives  of  the  TIC  and  Einstein  programs,  DHS’s  Secretary 
should,  to  better  understand  whether  Einstein  alerts  are  valid,  develop 
additional  performance  measures  that  indicate  how  agencies  respond  to  alerts. 

Cybersecurity:  Progress  Made  But  Challenges  Remain  in 
Defining  and  Coordinating  the  Comprehensive  National 
Initiative 

March  5,  2010 

64 

To  address  strategic  challenges  in  areas  that  are  not  the  subject  of  existing 
projects  within  CNCI  but  remain  key  to  achieving  the  initiative’s  overall  goal 
of  securing  federal  information  systems,  OMB’s  Director  should  continue 
developing  a  strategic  approach  to  identity  management  and  authentication, 
linked  to  HSPD-12  implementation,  as  initially  described  in  the  CIOC's  plan 
for  implementing  federal  identity,  credential,  and  access  management,  so  as  to 
provide  greater  assurance  that  only  authorized  individuals  and  entities  can  gain 
access  to  federal  information  systems. 

Continued  Efforts  Are  Needed  to  Protect  Information 
Systems  from  Evolving  Threats 

November  1 7,  2009 

24 

GAO  has  identified  weaknesses  in  all  major  categories  of  information  security 
controls  at  federal  agencies.  For  example,  in  FY2008,  weaknesses  were 
reported  in  such  controls  at  23  of  24  major  agencies.  Specifically,  agencies  did 
not  consistently  authenticate  users  to  prevent  unauthorized  access  to  systems; 
apply  encryption  to  protect  sensitive  data;  and  log,  audit,  and  monitor 
security-relevant  events,  among  other  actions. 

Efforts  to  Improve  Information  sharing  Need  to  Be 
Strengthened 

August  27,  2003 

59 

Information  on  threats,  methods,  and  techniques  of  terrorists  is  not  routinely 
shared;  and  the  information  that  is  shared  is  not  perceived  as  timely,  accurate, 
or  relevant. 

Source:  Highlights  compiled  by  CRS  from  the  GAO  reports. 
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Improving  Cybersecurity 

Ongoing 

N/A 

OMB  is  working  with  agencies,  Inspectors  General,  Chief  Information 

Officers,  senior  agency  officials  in  charge  of  privacy,  as  well  as  GAO  and 
Congress,  to  strengthen  the  federal  government's  IT  security  and  privacy 
programs.  The  site  provides  information  on  Cross-Agency  Priority  (CAP) 
goals,  proposed  cybersecurity  legislation,  CyberStat,  continuous  monitoring 
and  remediation,  using  SmartCards  for  identity  management,  and  standardizing 
security  through  configuration  settings. 

Liberty  and  Security  in  a  Changing  World:  Report  and 
Recommendations  of  The  President’s  Review  Group  on 
Intelligence  and  Communications  Technologies 

December  12,  2013 

308 

From  the  report,  “The  national  security  threats  facing  the  United  States  and 
our  allies  are  numerous  and  significant,  and  they  will  remain  so  well  into  the 
future.  These  threats  include  international  terrorism,  the  proliferation  of 
weapons  of  mass  destruction,  and  cyber  espionage  and  warfare...  After  careful 
consideration,  we  recommend  a  number  of  changes  to  our  intelligence 
collection  activities  that  will  protect  [privacy  and  civil  liberties]  values  without 
undermining  what  we  need  to  do  to  keep  our  nation  safe.” 

Immediate  Opportunities  for  Strengthening  the  Nation’s 
Cybersecurity 

November  2013 

31 

This  is  a  report  of  the  President’s  Council  of  Advisors  on  Science  and 
Technology  (PCAST).  The  report  recommends  the  government  phase  out 

insecure,  outdated  operating  systems,  like  Windows  XP,  implement  better 
encryption  technology,  and  encourage  automatic  security  updates,  among 
other  changes.  PCAST  also  recommends,  for  regulated  industries,  that  the 
government  help  create  cybersecurity  best  practices  and  audit  their 
adoption — and  for  independent  agencies,  PCAST  write  new  rules  that  require 
businesses  to  report  their  cyber  improvements. 


Cross  Agency  Priority  Goal:  Cybersecurity,  FY20I3  Q3 
Status  Report 

October  20 1 3 

24 

Executive  branch  departments  and  agencies  will  achieve  95%  implementation 
of  the  Administration’s  priority  cybersecurity  capabilities  by  the  end  of 

FY20I4.  These  capabilities  include  strong  authentication,  Trusted  Internet 
Connections  (TIC),  and  Continuous  Monitoring. 

Incentives  to  Support  Adoption  of  the  Cybersecurity 
Framework 

August  6,  20 1 3 

N/A 

From  the  report,  “To  promote  cybersecurity  practices  and  develop  these 
core  capabilities,  we  are  working  with  critical  infrastructure  owners  and 
operators  to  create  a  Cybersecurity  Framework  -  a  set  of  core  practices  to 
develop  capabilities  to  manage  cybersecurity  risk...  Over  the  next  few  months, 
agencies  will  examine  these  options  in  detail  to  determine  which  ones  to 
adopt  and  how,  based  substantially  on  input  from  critical  infrastructure 
stakeholders.” 

3  For  a  list  of  White  House  executive  orders,  see  CRS  Report  R43317,  Cybersecurity:  Legislation,  Hearings,  and  Executive  Branch  Documents,  by  Rita  Tehan. 
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FY  2012  Report  to  Congress  on  the  Implementation  of 
the  Federal  Information  Security  Management  Act  of  2002 

March  2013 

68 

More  government  programs  violated  data  security  law  standards  in  2012  than 
in  the  previous  year,  and  at  the  same  time,  computer  security  costs  have 
increased  by  more  than  $  1  billion.  Inadequate  training  was  a  large  part  of  the 
reason  all-around  FISMA  adherence  scores  slipped  from  75%  in  201  1  to  74% 
in  2012.  Agencies  reported  that  about  88%  of  personnel  with  system  access 
privileges  received  annual  security  awareness  instruction,  down  from  99%  in 
2011.  Meanwhile,  personnel  expenses  accounted  for  the  vast  majority — 

90% — of  the  $14.6  billion  departments  spent  on  information  technology 
security  in  20 1 2. 

Administration  Strategy  for  Mitigating  the  Theft  of  U.S. 

T rade  Secrets 

February  20,  2013 

141 

From  the  report,  “First,  we  will  increase  our  diplomatic  engagement.... 

Second,  we  will  support  industry-led  efforts  to  develop  best  practices  to 
protect  trade  secrets  and  encourage  companies  to  share  with  each  other  best 
practices  that  can  mitigate  the  risk  of  trade  secret  theft....  Third,  DOJ  will 
continue  to  make  the  investigation  and  prosecution  of  trade  secret  theft  by 
foreign  competitors  and  foreign  governments  a  top  priority....  Fourth, 

President  Obama  recently  signed  two  pieces  of  legislation  that  will  improve 
enforcement  against  trade  secret  theft....  Lastly,  we  will  increase  public 
awareness  of  the  threats  and  risks  to  the  U.S.  economy  posed  by  trade  secret 
theft.” 

National  Strategy  for  Information  Sharing  and 

Safeguarding 

December  20 1 2 

24 

Provides  guidance  for  effective  development,  integration,  and  implementation 
of  policies,  processes,  standards,  and  technologies  to  promote  secure  and 
responsible  information  sharing. 

Collaborative  and  Cross-Cutting  Approaches  to 
Cybersecurity 

August  1 ,  20 1 2 

N/A 

Michael  Daniel,  White  House  Cybersecurity  Coordinator,  highlights  a  few 
recent  initiatives  where  voluntary,  cooperative  actions  are  helping  to  improve 
the  nation’s  overall  cybersecurity. 

Trustworthy  Cyberspace:  Strategic  Plan  for  the  Federal 
Cybersecurity  Research  and  Development  Program 

December  20 1  1 

36 

As  a  research  and  development  strategy,  this  plan  defines  four  strategic 
thrusts:  Inducing  Change;  Developing  Scientific  Foundations;  Maximizing 

Research  Impact;  and  Accelerating  Transition  to  Practice. 

FY  2012  Reporting  Instructions  for  the  Federal 

Information  Security  Management  Act  and  Agency  Privacy 
Management 

September  14,  201  1 

29 

Rather  than  enforcing  a  static,  three-year  reauthorization  process,  agencies 
are  expected  to  conduct  ongoing  authorizations  of  information  systems 
through  the  implementation  of  continuous  monitoring  programs.  Continuous 
monitoring  programs  thus  fulfill  the  three  year  security  reauthorization 
requirement,  so  a  separate  re-authorization  process  is  not  necessary. 

Cybersecurity  Legislative  Proposal  (Fact  Sheet) 

May  12,  201  1 

N/A 

The  Administration’s  proposal  ensures  the  protection  of  individuals'  privacy 
and  civil  liberties  through  a  framework  designed  expressly  to  address  the 
challenges  of  cybersecurity.  The  Administration's  legislative  proposal  includes: 
Management,  Personnel,  Intrusion  Prevention  Systems,  and  Data  Centers. 

CRS-60 


Title 

Date 

Pages 

Notes 

International  Strategy  for  Cyberspace 

May  201  1 

30 

The  strategy  marks  the  first  time  any  administration  has  attempted  to  set 
forth  in  one  document  the  U.S.  government’s  vision  for  cyberspace,  including 
goals  for  defense,  diplomacy,  and  international  development. 

National  Strategy  for  Trusted  Identities 
in  Cyberspace  (NSTIC) 

April  15,  201  1 

52 

The  NSTIC  aims  to  make  online  transactions  more  trustworthy,  thereby 
giving  businesses  and  consumers  more  confidence  in  conducting  business 
online. 

Federal  Cloud  Computing  Strategy 

February  1 3,  20 1  1 

43 

The  strategy  outlines  how  the  federal  government  can  accelerate  the  safe, 
secure  adoption  of  cloud  computing,  and  provides  agencies  with  a  framework 
for  migrating  to  the  cloud.  It  also  examines  how  agencies  can  address 
challenges  related  to  the  adoption  of  cloud  computing,  such  as  privacy, 
procurement,  standards,  and  governance. 

25  Point  Implementation  Plan  to  Reform  Federal 
Information  Technology  Management 

December  9,  20 1 0 

40 

The  plan’s  goals  are  to  reduce  the  number  of  federally  run  data  centers  from 
2,100  to  approximately  1,300,  rectify  or  cancel  one-third  of  troubled  IT 
projects,  and  require  federal  agencies  to  adopt  a  “cloud  first”  strategy  in 
which  they  will  move  at  least  one  system  to  a  hosted  environment  within  a 
year. 

Clarifying  Cybersecurity  Responsibilities  and  Activities  of 
the  Executive  Office  of  the  President  and  the  Department 
of  Homeland  Security 

July  6,2010 

39 

This  memorandum  outlines  and  clarifies  the  respective  responsibilities  and 
activities  of  the  Office  of  Management  and  Budget  (OMB),  the  Cybersecurity 
Coordinator,  and  DHS,  in  particular  with  respect  to  the  Federal 

Government’s  implementation  of  the  Federal  Information  Security 

Management  Act  of  2002  (FISMA). 

The  National  Strategy  for  Trusted  Identities  in 

Cyberspace:  Creating  Options  for  Enhanced  Online 

Security  and  Privacy  (Draft) 

June  25,  2010 

39 

The  NSTIC,  which  is  in  response  to  one  of  the  near-term  action  items  in  the 
President’s  Cyberspace  Policy  Review,  calls  for  the  creation  of  an  online 
environment,  or  an  Identity  Ecosystem,  where  individuals  and  organizations 
can  complete  online  transactions  with  confidence,  trusting  the  identities  of 
each  other  and  the  identities  of  the  infrastructure  where  transaction  occur. 

Comprehensive  National  Cybersecurity  Initiative  (CNCI) 

March  2,  2010 

5 

The  CNCI  establishes  a  multi-pronged  approach  the  federal  government  is  to 
take  in  identifying  current  and  emerging  cyber  threats,  shoring  up  current  and 
future  telecommunications  and  cyber  vulnerabilities,  and  responding  to  or 
proactively  addressing  entities  that  wish  to  steal  or  manipulate  protected  data 
on  secure  federal  systems. 
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Cyberspace  Policy  Review:  Assuring  a  Trusted  and 
Resilient  Communications  Infrastructure 

May  29,  2009 

76 

The  President  directed  a  60-day,  comprehensive,  “clean-slate”  review  to 
assess  U.S.  policies  and  structures  for  cybersecurity.  The  review  team  of 
government  cybersecurity  experts  engaged  and  received  input  from  a  broad 
cross-section  of  industry,  academia,  the  civil  liberties  and  privacy  communities, 
state  governments,  international  partners,  and  the  legislative  and  executive 
branches.  This  paper  summarizes  the  review  team’s  conclusions  and  outlines 
the  beginning  of  the  way  forward  toward  a  reliable,  resilient,  trustworthy 
digital  infrastructure  for  the  future. 

Source:  Highlights  compiled  by  CRS  from  the  White  House  reports. 
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Improving  Cybersecurity  and  Resilience  Department  of  Defense  January  23,  2014 

through  Acquisition  and  the  General  Services 

Administration 


Offensive  Cyber  Capabilities  at  the  Center  for  Strategic  &  September  1 6,  20 1 3 

Operational  Level  -  The  Way  Ahead  International  Studies  (CSIS) 


An  Assessment  of  the  Department  of  Defense  U.S.  Army  War  College  September  20 1 3 
Strategy  for  Operating  in  Cyberspace 


Joint  Professional  Military  Education  Francesca  Spidalieri  (Pell  August  7,  20123 

Institutions  in  an  Age  of  Cyber  Threat  Center  Fellow) 


Military  and  Security  Developments  Involving  Department  of  Defense  May  6,  2013 
the  People’s  Republic  of  China  20 1 3  (Annual 
Report  to  Congress) 


24  The  Department  of  Defense  and  U.S.  General  Services 

Administration  (GSA)  jointly  released  a  report  announcing  six 
planned  reforms  to  improve  the  cybersecurity  and  resilience  of 
the  Federal  Acquisition  System.  The  report  provides  a  path 
forward  to  aligning  federal  cybersecurity  risk  management  and 
acquisition  processes.  It  provides  strategic  recommendations 
for  addressing  relevant  issues,  suggests  how  challenges  might  be 
resolved,  and  identifies  important  considerations  for  the 
implementation  of  the  recommendations. 

20  The  specific  question  this  report  examines  is  whether  the 

Defense  Department  should  make  a  more  deliberate  effort  to 
explore  the  potential  of  offensive  cyber  tools  at  levels  below 
that  of  a  combatant  command. 

60  This  monograph  is  organized  in  three  main  parts.  The  first  part 
explores  the  evolution  of  cyberspace  strategy  through  a  series 
of  government  publications  leading  up  to  the  DoD  Strategy  for 
Operating  in  Cyberspace.  In  the  second  part,  each  strategic 
initiative  is  elaborated  and  critiqued  in  terms  of  significance, 
novelty,  and  practicality.  In  the  third  part,  the  monograph 
critiques  the  DoD  Strategy  as  a  whole. 

1 8  The  report  found  that  the  Joint  Professional  Military  Education 
at  the  six  U.S.  military  graduate  schools — a  requirement  for 
becoming  a  Joint  Staff  Officer  and  for  promotion  to  the  senior 
ranks — has  not  effectively  incorporated  cybersecurity  into 
specific  courses,  conferences,  war  gaming  exercises,  or  other 
forms  of  training  for  military  officers.  While  these  graduate 
programs  are  more  advanced  on  cybersecurity  than  most 
American  civilian  universities,  a  preparation  gap  still  exists. 

92  China  is  using  its  computer  network  exploitation  capability  to 
support  intelligence  collection  against  the  U.S.  diplomatic, 
economic,  and  defense  industrial  base  sectors  that  support  U.S. 
national  defense  programs.  The  information  targeted  could 
potentially  be  used  to  benefit  China’s  defense  industry,  high- 
technology  industries,  policy  maker  interest  in  U.S.  leadership 
thinking  on  key  China  issues,  and  military  planners  building  a 
picture  of  U.S.  network  defense  networks,  logistics,  and  related 
military  capabilities  that  could  be  exploited  during  a  crisis. 
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Resilient  Military  Systems  and  the  Advanced 
Cyber  Threat 

Department  of  Defense 
Science  Board 

January  20 1 3 

146 

The  report  states  that,  despite  numerous  Pentagon  actions  to 
parry  sophisticated  attacks  by  other  countries,  efforts  are 
“fragmented”  and  the  Defense  Department  “is  not  prepared  to 
defend  against  this  threat.”  The  report  lays  out  a  scenario  in 
which  cyberattacks  in  conjunction  with  conventional  warfare 
damaged  the  ability  of  U.S.  forces  to  respond,  creating 
confusion  on  the  battlefield  and  weakening  traditional  defenses. 

FY  2012  Annual  Report 

Department  of  Defense 

January  20 1 3 

372 

Annual  report  to  Congress  by  J.  Michael  Gilmore,  director  of 
Operational  Test  and  Evaluation.  Assesses  the  operational 
effectiveness  of  systems  being  developed  for  combat.  See 
“Information  Assurance  (I/A)  and  Interoperability  (IOP)” 
chapter,  pages  305-3  12,  for  information  on  network 
exploitation  and  compromise  exercises. 

Basic  Safeguarding  of  Contractor  Information 
Systems  (Proposed  Rule) 

Department  of  Defense 
(DoD),  General  Services 
Administration  (GSA),  and 
National  Aeronautics  and 
Space  Administration 
(NASA) 

August  24,  20 1 2 

4 

This  regulation  authored  by  the  DOD,  General  Services 
Administration  (GSA),  and  National  Aeronautics  and  Space 
Administration  (NASA)  “would  add  a  contract  clause  to 
address  requirements  for  the  basic  safeguarding  of  contractor 
information  systems  that  contain  or  process  information 
provided  by  or  generated  for  the  government  (other  than 
public  information).” 

Electronic  Warfare:  DOD  Actions  Needed  to 
Strengthen  Management  and  Oversight 

GAO 

July  9,  2012 

46 

DOD’s  oversight  of  electronic  warfare  capabilities  may  be 
further  complicated  by  its  evolving  relationship  with  computer 
network  operations,  which  is  also  an  information  operations- 
related  capability.  Without  clearly  defined  roles  and 
responsibilities  and  updated  guidance  regarding  oversight 
responsibilities,  DOD  does  not  have  reasonable  assurance  that 
its  management  structures  will  provide  effective  department¬ 
wide  leadership  for  electronic  warfare  activities  and  capabilities 
development  and  ensure  effective  and  efficient  use  of  its 
resources. 

Cloud  Computing  Strategy 

DOD,  Chief  Information 
Officer 

July  2012 

44 

The  DOD  Cloud  Computing  Strategy  introduces  an  approach 
to  move  the  department  from  the  current  state  of  a  duplicative, 
cumbersome,  and  costly  set  of  application  silos  to  an  end  state, 
which  is  an  agile,  secure,  and  cost  effective  service  environment 
that  can  rapidly  respond  to  changing  mission  needs. 

CRS-64 


Title 

Source 

Date 

Pages 

Notes 

DOD  Defense  Industrial  Base  (DIB)  Voluntary 
Cyber  Security  and  Information  Assurance 
(CS/IA)  Activities 

Federal  Register 

May  1  1,  2012 

7 

DOD  interim  final  rule  to  establish  a  voluntary  cyber  security 
information  sharing  program  between  DOD  and  eligible  DIB 
companies.  The  program  enhances  and  supplements  DIB 
participants’  capabilities  to  safeguard  DOD  information  that 
resides  on,  or  transits,  DIB  unclassified  information. 

DOD  Information  Security  Program: 

Overview,  Classification,  and  Declassification 

DOD 

February  24,  2012 

84 

Describes  the  DOD  Information  Security  Program,  and 
provides  guidance  for  classification  and  declassification  of  DOD 
information  that  requires  protection  in  the  interest  of  the 
national  security. 

Cyber  Sentries:  Preparing  Defenders  to  Win 
in  a  Contested  Domain 

Air  War  College 

February  7,  20 1 2 

38 

This  paper  examines  the  current  impediments  to  effective 
cybersecurity  workforce  preparation  and  offers  new  concepts 
to  create  Cyber  Sentries  through  realistic  training,  network 
authorities  tied  to  certification,  and  ethical  training.  These 
actions  present  an  opportunity  to  significantly  enhance 
workforce  quality  and  allow  the  Department  to  operate 
effectively  in  the  contested  cyber  domain  in  accordance  with 
the  vision  established  in  its  Strategy  for  Cyberspace  Operations 

Defense  Department  Cyber  Efforts: 

Definitions,  Focal  Point,  and  Methodology 
Needed  for  DOD  to  Develop  Full-Spectrum 
Cyberspace  Budget  Estimates 

Government 

Accountability  Office 
(GAO) 

July  29,  2011 

33 

This  letter  discusses  DOD’s  cyber  and  information  assurance 
budget  for  fiscal  year  2012  and  future  years  defense  spending. 

The  objectives  of  this  review  were  to  ( 1 )  assess  the  extent  to 
which  DOD  has  prepared  an  overarching  budget  estimate  for 
full-spectrum  cyberspace  operations  across  the  department; 
and  (2)  identify  the  challenges  DOD  has  faced  in  providing  such 
estimates. 

Legal  Reviews  of  Weapons  and  Cyber 
Capabilities 

Secretary  of  the  Air  Force 

July  27,  2011 

7 

Report  concludes  the  Air  Force  must  subject  cyber  capabilities 
to  legal  review  for  compliance  with  the  Law  of  Armed  Conflict 
and  other  international  and  domestic  laws.  The  Air  Force  judge 
advocate  general  must  ensure  that  all  cyber  capabilities  “being 
developed,  bought,  built,  modified  or  otherwise  acquired  by  the 
Air  Force"  must  undergo  legal  review — except  for  cyber 
capabilities  within  a  Special  Access  Program,  which  must 
undergo  review  by  the  Air  Force  general  counsel. 

Department  of  Defense  Strategy  for 

Operating  in  Cyberspace 

DOD 

July  201  1 

19 

This  is  an  unclassified  summary  of  DOD’s  cyber-security 
strategy. 
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Cyber  Operations  Personnel  Report  (DOD) 

DOD 

April  201  1 

84 

This  report  focuses  on  FY2009  Department  of  Defense  Cyber 
Operations  personnel,  with  duties  and  responsibilities  as 
defined  in  Section  934  of  the  Fiscal  Year  2010  National  Defense 
Authorization  Act  (NDAA). 

Appendix  A — Cyber  Operations-related  Military  Occupations 
Appendix  B — Commercial  Certifications  Supporting  the  DOD 
Information  Assurance  Workforce  Improvement  Program 
Appendix  C — Military  Services  Training  and  Development 
Appendix  D — Geographic  Location  of  National  Centers  of 
Academic  Excellence  in  Information  Assurance 

Anomaly  Detection  at  Multiple  Scales 
(ADAMS) 

Defense  Advanced 

Research  Projects  Agency 
(DARPA) 

November  9,  20 1  1 

74 

The  design  document  was  produced  by  Allure  Security  and 
sponsored  by  the  Defense  Advanced  Research  Projects  Agency 
(DARPA).  It  describes  a  system  for  preventing  leaks  by  seeding 
believable  disinformation  in  military  information  systems  to  help 
identify  individuals  attempting  to  access  and  disseminate 
classified  information. 

Critical  Code:  Software  Producibility  for 
Defense 

National  Research  Council, 
Committee  for  Advancing 
Software-Intensive  Systems 
Producibility 

October  20,  20 1 0 

160 

Assesses  the  nature  of  the  national  investment  in  software 
research  and,  in  particular,  considers  ways  to  revitalize  the 
knowledge  base  needed  to  design,  produce,  and  employ 
software-intensive  systems  for  tomorrow’s  defense  needs. 

Defending  a  New  Domain 

U.S.  Deputy  Secretary  of 
Defense,  William  J.  Lynn 
(Foreign  Affairs) 

September/October 

2010 

N/A 

In  2008,  the  U.S.  Department  of  Defense  suffered  a  significant 
compromise  of  its  classified  military  computer  networks.  It 
began  when  an  infected  flash  drive  was  inserted  into  a  U.S. 
military  laptop  at  a  base  in  the  Middle  East.  This  previously 
classified  incident  was  the  most  significant  breach  of  U.S. 
military  computers  ever,  and  served  as  an  important  wake-up 
call. 

The  QDR  in  Perspective:  Meeting  America’s 
National  Security  Needs  In  the  21st  Century 
(QDR  Final  Report) 

Quadrennial  Defense 

Review 

July  30,  2010 

159 

From  the  report:  “The  expanding  cyber  mission  also  needs  to 
be  examined.  The  Department  of  Defense  should  be  prepared 
to  assist  civil  authorities  in  defending  cyberspace  -  beyond  the 
Department’s  current  role." 

Cyberspace  Operations:  Air  Force  Doctrine 
Document  3-12 

U.S.  Air  Force 

July  15,  2010 

62 

This  Air  Force  Doctrine  Document  (AFDD)  establishes 
doctrinal  guidance  for  the  employment  of  U.S.  Air  Force 
operations  in,  through,  and  from  cyberspace.  It  is  the  keystone 
of  Air  Force  operational-level  doctrine  for  cyberspace 
operations. 
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DON  (Department  of  the  Navy) 
Cybersecurity/Information  Assurance 
Workforce  Management,  Oversight  and 
Compliance 

U.S.  Navy 

June  17,  2010 

14 

To  establish  policy  and  assign  responsibilities  for  the 
administration  of  the  Department  of  the  Navy  (DON) 
Cybersecurity  (CS)/lnformation  Assurance  Workforce  (IAWF) 
Management  Oversight  and  Compliance  Program. 

Note:  Highlights  compiled  by  CRS  from  the  reports. 

Table  12.  National  Institute  of  Standards  and  Technology  (NIST) 

Including  the  Cybersecurity  Framework 
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Pages 
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Framework  for  Improving  Critical  Infrastructure 
Cybersecurity 


February  12,  2014 


Update  on  the  Development  of  the  Cybersecurity  January  15  2014 
Framework 


Proposed  Establishment  of  a  Federally  Funded  January  10  2014 

Research  and  Development  Center 


Designed-in  Cyber  Security  for  Cyber-Physical  November  20,  20 1 3 

Systems 


60 


The  voluntary  framework  consists  of  cybersecurity  standards  that  can  be 
customized  to  various  sectors  and  adapted  by  both  large  and  small  organizations. 
Addionally,  so  that  the  private  sector  may  fully  adopt  this  Framework,  the 
Department  of  Homeland  Security  announced  the  Critical  Infrastructure  Cyber 
Community  (C3) — or  "C-cubed" — Voluntary  Program.  The  C3  program  gives 
companies  that  provide  critical  services  like  cell  phones,  email,  banking,  energy, 
and  state  and  local  governments,  direct  access  to  cybersecurity  experts  within 
DHS  who  have  knowledge  about  specific  threats,  ways  to  counter  those  threats, 
and  how,  over  the  long  term,  to  design  and  build  systems  that  are  less 
vulnerable  to  cyber  threats. 

From  the  document,  "While  stakeholders  have  said  they  see  the  value  of 
guidance  relating  to  privacy,  many  comments  stated  a  concern  that  the 
methodology  did  not  reflect  consensus  private  sector  practices  and  therefore 
might  limit  use  of  the  Framework.  Many  commenters  also  stated  their  belief  that 
privacy  considerations  should  be  fully  integrated  into  the  Framework  Core.” 

NIST  intends  to  sponsor  a  Federally  Funded  Research  and  Development  Center 
(FFRDC)  to  facilitate  public-private  collaboration  for  accelerating  the  widespread 
adoption  of  integrated  cybersecurity  tools  and  technologies.  NIST  published 
three  notices  in  the  Federal  Register  advising  the  public  of  the  agency's  intention 
to  sponsor  an  FFRDC  and  requesting  comments  from  the  public.  This  notice 
provides  NIST's  analysis  of  the  comments  related  to  NIST's  proposed 
establishment  of  the  FFRDC  received  in  response  to  those  notices. 

NIST  and  the  Cybersecurity  Research  Alliance  held  a  two-day  workshop  (April 
4-5,  2013)  for  industry,  government,  and  academic  cyber  security  researchers. 
The  report’s  findings  lay  out  a  logical  roadmap  for  designing  security  into  varied 
IP-based  systems  and  platforms  increasingly  targeted  by  cyber  attackers. 
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Title 


Date 


Pages 


Cybersecurity  Framework 

October  22,  2013 

47 

A  Role-Based  Model  for  Federal  Information 
Technology/Cybersecurity  Training  (Draft  Special 
Publication  800-16  Revision  1) 

October  2013 

152 

Guide  to  Attribute  Based  Access  Control 

Definition  and  Considerations  (Draft  SP  800-162) 

October  2013 

48 

Discussion  Draft  of  the  Preliminary  Cybersecurity 
Framework 

August  28,  20 1 3 

36 

DRAFT  Outline — Preliminary  Framework  to 

Reduce  Cyber  Risks  to  Critical  Infrastructure 

July  1, 2013 

5 

Computer  Security  Incident  Coordination  (CSIC): 
Providing  Timely  Cyber  Incident  Response 

June  28,  2013 

3 

Proposed  Establishment  of  a  Federally  Funded 
Research  and  Development  Center — Second 

Notice 

June  21, 2013 

2 

Update  on  the  Development  of  the  Cybersecurity 
Framework 

June  18,2013 

3 
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Notes 


NIST  seeks  comments  on  the  preliminary  version  of  the  Cybersecurity 
Framework  (“preliminary  Framework").  Under  Executive  Order  13636,  NIST  is 
directed  to  work  with  stakeholders  to  develop  a  framework  to  reduce  cyber 
risks  to  critical  infrastructure. 

This  guidance  will  assist  managers  at  all  level  to  understand  their  responsibilities 
in  providing  role-based  cybersecurity  training, 


Improving  information  sharing  while  maintaining  control  over  access  to  that 
information  is  a  primary  goal  of  guidance  coming  from  the  NIST. 

The  Framework  provides  a  common  language  and  mechanism  for  organizations 
to  (I)  describe  current  cybersecurity  posture;  (2)  describe  their  target  state  for 
cybersecurity;  (3)  identify  and  prioritize  opportunities  for  improvement  within 
the  context  of  risk  management;  (4)  assess  progress  toward  the  target  state;  (5) 
foster  communications  among  internal  and  external  stakeholders. 

This  draft  is  produced  for  discussion  purposes  at  the  upcoming  workshops  and 
to  further  encourage  private-sector  input  before  NIST  publishes  a  preliminary 
Draft  Framework  to  Reduce  Cyber  Risks  to  Critical  Infrastructure  (“the  Framework”) 
for  public  comment  in  October. 

NIST  is  seeking  information  relating  to  Computer  Security  Incident 
Coordination  (CSIC)  as  part  of  the  research  needed  to  write  a  NIST  Special 
Publication  (SP)  to  help  Computer  Security  Incident  Response  Teams  (CSIRTs) 
coordinate  effectively  when  responding  to  computer-security  incidents.  The 
NIST  SP  will  identify  technical  standards,  methodologies,  procedures,  and 
processes  that  facilitate  prompt  and  effective  response. 

NIST  intends  to  sponsor  a  Federally  Funded  Research  and  Development  Center 
(FFRDC)  to  facilitate  public-private  collaboration  for  accelerating  the  widespread 
adoption  of  integrated  cybersecurity  tools  and  technologies.  This  is  the  second 
of  three  notices  that  must  be  published  over  a  90-day  period  to  advise  the  public 
of  the  agency’s  intention  to  sponsor  an  FFRDC. 

NIST  is  seeking  input  about  foundational  cybersecurity  practices,  ideas  for  how 
to  manage  privacy  and  civil  liberties  needs,  and  outcome-oriented  metrics  that 
leaders  can  use  in  evaluating  the  position  and  progress  of  their  organizations’ 
cybersecurity  status.  In  a  few  weeks,  NIST  expects  to  post  an  outline  of  the 
preliminary  cybersecurity  framework,  including  existing  standards  and  practices. 


Title 

Date 

Pages 

Notes 

Initial  Analysis  of  Cybersecurity  Framework  RFI 
Responses 

May  15,  2013 

34 

NIST  released  an  initial  analysis  of  243  responses  to  the  Feb.  26  RFI.  The  analysis 
will  form  the  basis  for  an  upcoming  workshop  at  Carnegie  Mellon  University  in 
Pittsburgh  as  NIST  moves  forward  on  creating  a  cybersecurity  framework  for 
essential  energy,  utility  and  communications  systems. 

Proposed  Establishment  of  a  Federally  Funded 
Research  and  Development  Center-First  Notice 

April  22,  2013 

2 

To  help  the  National  Cybersecurity  Center  of  Excellence  (NCCoE)  address 
industry’s  needs  most  efficiently,  NIST  will  sponsor  its  first  Federally  Funded 
Research  and  Development  Center  (FFRDC)  to  facilitate  public-private 
collaboration  for  accelerating  the  widespread  adoption  of  integrated 
cybersecurity  tools  and  technologies. 

Security  and  Privacy  Controls  for  Federal 
Information  Systems  (SP  800-53,  Rev.  4) 

April  2013 

457 

Special  Publication  800-53,  Revision  4,  provides  a  more  holistic  approach  to 
information  security  and  risk  management  by  providing  organizations  with  the 
breadth  and  depth  of  security  controls  necessary  to  fundamentally  strengthen 
their  information  systems  and  the  environments  in  which  those  systems 
operate — contributing  to  systems  that  are  more  resilient  in  the  face  of 
cyberattacks  and  other  threats.  This  “Build  It  Right"  strategy  is  coupled  with  a 
variety  of  security  controls  for  "Continuous  Monitoring"  to  give  organizations 
near  real-time  information  that  is  essential  for  senior  leaders  making  ongoing 
risk-based  decisions  affecting  their  critical  missions  and  business  functions. 

Developing  a  Framework  To  Improve  Critical 
Infrastructure  Cybersecurity,  Notice;  Request  for 
Information 

February  26,  20 1 3 

5 

NIST  announced  the  first  step  in  the  development  of  a  Cybersecurity 

Framework,  which  will  be  a  set  of  voluntary  standards  and  best  practices  to 
guide  industry  in  reducing  cyber  risks  to  the  networks  and  computers  that  are 
vital  to  the  nation’s  economy,  security,  and  daily  life. 

Memorandum  of  Understanding  (MOU) 

December  2,  2010 

4 

The  MOU,  signed  by  NIST,  DHS,  and  the  Financial  Services  Sector  Coordinating 
Council  (FSSCC),  formalizes  the  intent  of  the  parties  to  expedite  the 
coordinated  development  and  availability  of  collaborative  research,  development, 
and  testing  activities  for  cybersecurity  technologies  and  processes  based  upon 
the  financial  services  sector’s  needs. 

Note:  Highlights  compiled  by  CRS  from  the  reports. 
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Table  1 3.  Other  Federal  Agencies 


Title 

Source 

Date 

Pages 

Continuous  Diagnostic  and  Mitigation  Program 

DHS 

Ongoing 

N/A 

SEC  to  Hold  Cybersecurity  Roundtable 


Securities  and  Exchange  February  14,  N/A 

Commission  2014 


The  Critical  Infrastructure  Cyber  Community  C3  DHS 
Voluntary  Program 


February  12,  N/A 

2014 


The  Federal  Government's  Track  Record  on  Sen.  Homeland  Security  February  4,  19 

Cybersecurity  and  Critical  Infrastructure  and  Governmental  2013 

Affairs  Committee 
(Minority  Staff) 


The  Department  of  Energy’s  July  20 1 3  Cyber  DOE  Inspector  General  December  2013  28 

Security  Breach 
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Notes 


An  initiative  to  deploy  continuous  monitoring  at  U.S.  federal 
government  agencies  will  be  done  in  phases,  with  the  initial 
rollout  occurring  over  three  years.  The  initial  phase  is  aimed  at 
getting  federal  civilian  agencies  to  employ  continuous  diagnostic 
tools  to  improve  vulnerability  management,  enforce  strong 
compliance  settings,  manage  hardware  and  software  assets  and 
establish  white-listing  of  approved  services  and  applications. 

The  SEC  announced  that  it  will  host  a  roundtable  to  discuss 
cybersecurity,  the  issues  and  challenges  it  raises  for  market 
participants  and  public  companies,  and  how  they  are  addressing 
those  concerns.  The  roundtable  will  be  held  at  the  SEC’s 
Washington,  DC,  headquarters  on  March  26  and  will  be  open  to 
the  public  and  webcast  live  on  the  SEC’s  website.  Information 
on  the  agenda  and  participants  will  be  published  in  the  coming 
weeks. 

The  C3  Voluntary  Program  will  serve  as  a  point  of  contact  and 
customer  relationship  manager  to  assist  organizations  with 
Framework  use  and  guide  interested  organizations  and  sectors 
to  DHS  and  other  public  and  private-sector  resources  to 
support  use  of  the  Cybersecurity  Framework. 

Since  2006,  the  federal  government  has  spent  at  least  $65  billion 
on  securing  its  computers  and  networks,  according  to  an 
estimate  by  the  Congressional  Research  Service.  NIST,  the 
government’s  official  body  for  setting  cybersecurity  standards, 
has  produced  thousands  of  pages  of  precise  guidance  on  every 
significant  aspect  of  IT  security.  And  yet  agencies — even  agencies 
with  responsibilities  for  critical  infrastructure,  or  vast 
repositories  of  sensitive  data — continue  to  leave  themselves 
vulnerable,  often  by  failing  to  take  the  most  basic  steps  towards 
securing  their  systems  and  information. 

The  report  states  nearly  eight  times  as  many  current  and  former 
Energy  Department  staff  members  were  affected  by  a  July 
computer  hack  than  was  previously  estimated,  according  to  the 
agency’s  inspector  general.  In  August,  DOE  estimated  that  the 
hack  affected  roughly  14,000  current  and  former  staff,  leaking 
personally  identifiable  information  such  as  Social  Security 
numbers,  birthdays,  and  banking  information.  But  the  breach 
apparently  affected  more  than  1 04,000  people. 


Title 


Source 


Date 


Pages 


Notes 


Improving  Cybersecurity  and  Resilience  through 
Acquisition 


Evaluation  of  DHS’  Information  Security  Program 
for  Fiscal  Year  20 1 3 


Immediate  Opportunities  for  Strengthening  the 
Nation’s  Cybersecurity 


Federal  Energy  Regulatory  Commission’s 
Unclassified  Cyber  Security  Program  -  2013 


General  Services  January  23,  24 

Administration  and  2014 

Department  of  Defense 


DHS  Inspector  General  November  20 1 3  50 


President’s  Council  of  November  2013  31 

Advisors  on  Science 
and  Technology 
(PC  AST) 


Department  of  Energy  October  2013  13 

Office  of  Inspector 

General 


The  Department  of  Defense  and  U.S.  General  Services 
Administration  (GSA)  jointly  released  a  report  announcing  six 
planned  reforms  to  improve  the  cybersecurity  and  resilience  of 
the  Federal  Acquisition  System.  The  report  provides  a  path 
forward  to  aligning  federal  cybersecurity  risk  management  and 
acquisition  processes.  It  provides  strategic  recommendations  for 
addressing  relevant  issues,  suggests  how  challenges  might  be 
resolved,  and  identifies  important  considerations  for  the 
implementation  of  the  recommendations. 

The  report  reiterates  that  the  agency  uses  outdated  security 
controls  and  Internet  connections  that  are  not  verified  as 
trustworthy,  as  well  as  for  not  reviewing  its  “top  secret” 
information  systems  for  vulnerabilities. 

The  report  recommends  the  government  phase  out  insecure, 
outdated  operating  systems,  like  Windows  XP,  implement 
better  encryption  technology,  and  encourage  automatic  security 
updates,  among  other  changes.  PCAST  also  recommends,  for 
regulated  industries,  that  the  government  help  create 
cybersecurity  best  practices  and  audit  their  adoption — and  for 
independent  agencies,  PCAST  write  new  rules  that  require 
businesses  to  report  their  cyber  improvements. 

To  help  protect  against  continuing  cyber  security  threats,  the 
Commission  estimated  that  it  would  spend  approximately  $5.8 
million  during  Fiscal  Year  (FY)  2013  to  secure  its  information 
technology  assets,  a  9%  increase  compared  to  FY  2012...  As 
directed  by  FISMA,  the  Office  of  Inspector  General  conducted 
an  independent  evaluation  of  the  Commission's  unclassified 
cyber  security  program  to  determine  whether  it  adequately 
protected  data  and  information  systems.  This  report  presents 
the  results  of  our  evaluation  for  FY  2013. 
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Title 


Source 


Date 


Pages 


Notes 


DHS'  Efforts  to  Coordinate  the  Activities  of 
Federal  Cyber  Operations  Center 


Special  Cybersecurity  Workforce  Project  (Memo 
for  Heads  of  Executive  Departments  and  Agencies) 


Content  of  Premarket  Submissions  for 
Management  of  Cybersecurity  in  Medical  Devices, 
Notice 

DHS  Can  Take  Actions  to  Address  Its  Additional 
Cybersecurity  Responsibilities 


Mobile  Security  Reference  Architecture 


DHS  Inspector  General  October  20 1  3  29 


Office  of  Personnel  July  8,  20 1 3  N/A 

Management  (OPM) 


Food  and  Drug  June  14,  2013 

Administration  (FDA) 


Department  of  June  20 1 3  26 

Homeland  Security 


Federal  CIO  Council  May  23,  2013  103 

and  the  Department  of 
Homeland  Security 
(DHS) 


DHS  could  do  a  better  job  sharing  information  among  the  five 
federal  centers  that  coordinate  cybersecurity  work.  The 
department’s  National  Cybersecurity  and  Communications 
Integration  Center,  or  the  NCCIC,  is  tasked  with  sharing 
information  about  malicious  activities  on  government  networks 
with  cybersecurity  offices  within  the  Defense  Department,  the 
FBI  and  federal  intelligence  agencies.  But  the  DHS  center  and  the 
five  federal  cybersecurity  hubs  do  not  all  have  the  same 
technology  or  resources,  preventing  them  from  having  shared 
situational  awareness  of  intrusions  or  threats  and  restricting 
their  ability  to  coordinate  response.  The  centers  also  have  not 
created  a  standard  set  of  categories  for  reporting  incidents, 

The  OPM  is  collaborating  with  the  White  House  Office  of 
Science  and  Technology  Policy,  the  Chief  Human  Capital 
Officers  Council  (CHCOC),  and  the  Chief  Information  Officers 
Council  (CIOC)  in  implementing  a  special  workforce  project 
that  tasks  federal  agencies’  cybersecurity,  information 
technology,  and  human  resources  communities  to  build  a 
statistical  data  set  of  existing  and  future  cybersecurity  positions 
in  the  OPM  Enterprise  Human  Resources  Integration  (EHRI) 
data  warehouse  by  the  end  of  FY20I4. 

This  guidance  identifies  cybersecurity  issues  that  manufacturers 
should  consider  in  preparing  premarket  submissions  for  medical 
devices  in  order  to  maintain  information  confidentiality, 
integrity,  and  availability. 

The  National  Protection  and  Programs  Directorate  (NPPD)  was 
audited  to  determine  whether  the  Office  of  Cybersecurity  and 
Communications  had  effectively  implemented  its  additional 
cybersecurity  responsibilities  to  improve  the  security  posture  of 
the  federal  government.  Although  actions  have  been  taken, 

NPPD  can  make  further  improvements  to  address  its  additional 
cybersecurity  responsibilities. 

Gives  agencies  guidance  in  the  secure  implementation  of  mobile 
solutions  through  their  enterprise  architectures.  The  document 
provides  in-depth  reference  architecture  for  mobile  computing. 
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Date 


Pages 


Notes 


Privacy  Impact  Assessment  for  EINSTEIN  3  - 
Accelerated  (E3A) 


DHS  Secretary’s  Honors  Program:  Cyber  Student 
Initiative 


National  Level  Exercise  20 1 2:  Quick  Look  Report 


Measuring  What  Matters:  Reducing  Risks  by 
Rethinking  How  We  Evaluate  Cybersecurity 


Department  of  April  19,2013 

Homeland  Security 


Department  of  April  18,2013 

Homeland  Security 


Federal  Emergency  March  2013 

Management  Agency 


National  Academy  of  March  20 1 3 
Public  Administration 
and  Safegov.org 


27  DHS  will  deploy  EINSTEIN  3  Accelerated  (E3A)  to  enhance 
cybersecurity  analysis,  situational  awareness,  and  security 
response.  Under  the  direction  of  DHS,  ISPs  will  administer 
intrusion  prevention  and  threat-based  decision-making  on 
network  traffic  entering  and  leaving  participating  federal  civilian 
Executive  Branch  agency  networks.  This  Privacy  Impact 
Assessment  (PIA)  is  being  conducted  because  E3A  will  include 
analysis  of  federal  network  traffic,  which  may  contain  personally 
identifiable  information  (Pll). 

2  The  Cyber  Student  Initiative  program  will  begin  at  Immigration 
and  Customs  Enforcement  computer  forensic  labs  in  36  cities 
nationwide,  where  students  will  be  trained  and  will  gain  hands- 
on  experience  within  the  department’s  cybersecurity 
community.  The  unpaid  volunteer  program  is  only  available  to 
community  college  students  and  veterans  pursuing  a  degree  in 
the  cybersecurity  field. 

22  National  Level  Exercise  (NLE)  2012  was  a  series  of  exercise 

events  that  examined  the  ability  of  the  United  States  to  execute 
a  coordinated  response  to  a  series  of  significant  cyber  incidents. 
As  a  part  of  the  National  Exercise  Program,  NLE  2012 
emphasized  the  shared  responsibility  among  all  levels  of 
government,  the  private  sector,  and  the  international  community 
to  secure  cyber  networks  and  coordinate  response  and 
recovery  actions.  The  NLE  2012  series  was  focused  on 
examining  four  major  themes:  planning  and  implementation  of 
the  draft  National  Cyber  Incident  Response  Plan  (NCIRP), 
coordination  among  governmental  entities,  information  sharing, 
and  decision  making. 

39  Rather  than  periodically  auditing  whether  an  agency's  systems 
meet  the  standards  enumerated  in  Federal  Information  Security 
Management  Act  (FISMA)  at  a  static  moment  in  time,  agencies 
and  their  inspectors  general  should  keep  running  scorecards  of 
“cyber  risk  indicators"  based  on  continual  IG  assessments  of  a 
federal  organization's  cyber  vulnerabilities. 
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Title 


Source 


Date  Pages 


Follow-up  Audit  of  the  Department’s  Cyber  Department  of  Energy  December  20 1 2 

Security  Incident  Management  Program  Inspector  General 


Secure  and  Trustworthy  Cyberspace  (SaTC) 
Program  Solicitation 


National  Science 
Foundation  and  the 
National  Science  and 
Technology  Council 
(NSTC) 


Annual  Report  to  Congress  20 1 2:  National  Information  Sharing 

Security  Through  Responsible  Information  Sharing  Environment  (ISE) 


October  4, 

2012 


June  30,  2012 


Cybersecurity:  CF  Disclosure  Guidance:  Topic  No.  SecuritieS  and  Exchange  °ctober  1 3, 

9  °  90 1  I 

z  Commission  1 


Note:  Highlights  compiled  by  CRS  from  the  reports. 


25  “In  2008,  we  reported  in  The  Department's  Cyber  Security 
Incident  Management  Program  (DOE/IG-0787,  January  2008) 
that  the  Department  and  NNSA  established  and  maintained  a 
number  of  independent,  at  least  partially  duplicative,  cyber 
security  incident  management  capabilities.  Although  certain 
actions  had  been  taken  in  response  to  our  prior  report,  we 
identified  several  issues  that  limited  the  efficiency  and 
effectiveness  of  the  Department's  cyber  security  incident 
management  program  and  adversely  impacted  the  ability  of  law 
enforcement  to  investigate  incidents.  For  instance,  we  noted 
that  the  Department  and  NNSA  continued  to  operate 
independent,  partially  duplicative  cyber  security  incident 
management  capabilities  at  an  annual  cost  of  more  than  $30 
million.  The  issues  identified  were  due,  in  part,  to  the  lack  of  a 
unified,  Department-wide  cyber  security  incident  management 
strategy.  In  response  to  our  finding,  management  concurred  with 
the  recommendations  and  indicated  that  it  had  initiated  actions 
to  address  the  issues  identified.” 

N/A  This  grant  program  seeks  proposals  that  address  Cybersecurity 
from  a  Trustworthy  Computing  Systems  perspective  (TWC);  a 
Social,  Behavioral  and  Economic  Sciences  perspective  (SBE);  and 
a  Transition  to  Practice  perspective  (TPP). 

1 88  From  the  report,  “This  Report,  which  PM-ISE  is  submitting  on 
behalf  of  the  President,  incorporates  input  from  our  mission 
partners  and  uses  their  initiatives  and  PM-ISE’s  management 
activities  to  provide  a  cohesive  narrative  on  the  state  and 
progress  of  terrorism-related  responsible  information  sharing, 
including  its  impact  on  our  collective  ability  to  secure  the  nation 
and  our  national  interests.” 

N/A  The  statements  in  this  CF  Disclosure  Guidance  represent  the 
views  of  the  Division  of  Corporation  Finance.  This  guidance  is 
not  a  rule,  regulation,  or  statement  of  the  Securities  and 
Exchange  Commission.  Further,  the  Commission  has  neither 
approved  nor  disapproved  its  content. 
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Table  14.  Research  &  Development  (R&D) 


Notes 


National  Cybersecurity  Center  of  Excellence 
(NCCoE) 


Software  Defined  Perimeter  Working  Group 


DARPA  Announces  Cyber  Grand  Challenge 


Resilience  metrics  for  cyber  systems 
(free  registration  required  to  download) 


Cybersecurity  Exercise:  Quantum  Dawn  2 


Source 


Date  Pages 


National  Institute  of 
Standards  and 
Technology  (NIST) 


Ongoing 


Cloud  Security  Alliance  December  I, 
2013 


Defense  Advanced  October  23, 

Research  Projects  20 1 3 

Agency  (DARPA) 


Seager,  Thomas  November 

(Arizona  State  20 1 3 

University) 


SIFMA  October  21, 

2013 


N/A  The  National  Cybersecurity  Center  of  Excellence  (NCCoE)  is  a 
new  public-private  collaboration  to  bring  together  experts  from 
industry,  government  and  academia  to  design,  implement,  test, 
and  demonstrate  integrated  cybersecurity  solutions  and 
promote  their  widespread  adoption. 

1 3  This  document  explains  the  software  defined  perimeter  (SDP) 
security  framework  and  how  it  can  be  deployed  to  protect 
application  infrastructure  from  network-based  attacks.  The  SDP 
incorporates  security  standards  from  organizations  such  as  the 
National  Institute  of  Standards  and  Technology  (NIST)  as  well  as 
security  concepts  from  organizations  such  as  the  U.S. 
Department  of  Defense  (DOD)  into  an  integrated  framework. 

N/A  DARPA  intends  to  hold  the  Cyber  Grand  Challenge  (CGC) — 
the  first-ever  tournament  for  fully  automatic  network  defense 
systems.  The  Challenge  will  see  teams  creating  automated 
systems  that  would  compete  against  each  other  to  evaluate 
software,  test  for  vulnerabilities,  generate  security  patches,  and 
apply  them  to  protected  computers  on  a  network.  The  winning 
team  in  the  CGC  finals  would  receive  a  cash  prize  of  $2  million, 
with  second  place  earning  $1  million  and  third  place  taking  home 
$750,000. 

6  Despite  the  national  and  international  importance,  resilience 
metrics  to  inform  management  decisions  are  still  in  the  early 
stages  of  development.  The  resilience  matrix  framework 
developed  by  Linkov  et  al.  is  applied  to  develop  and  organize 
effective  resilience  metrics  for  cyber  systems.  These  metrics  link 
national  policy  goals  to  specific  system  measures,  such  that 
resource  allocation  decisions  can  be  translated  into  actionable 
interventions  and  investments.  The  paper  proposes  a  generic 
approach  and  could  integrate  actual  data,  technical  judgment, 
and  literature-based  measures  to  assess  system  resilience  across 
physical,  information,  cognitive,  and  social  domains. 

N/A  Quantum  Dawn  2  is  a  cybersecurity  exercise  to  test  incident 
response,  resolution,  and  coordination  processes  for  the 
financial  services  sector  and  the  individual  member  firms  to  a 
street-wide  cyberattack. 
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Title 

Source 

Date 

Pages 

Notes 

Proposed  Establishment  of  a  Federally  Funded 
Research  and  Development  Center — Second 

Notice 

National  Institute  of 
Standards  and 
Technology 

June  21,  2013 

2 

NIST  intends  to  sponsor  a  Federally  Funded  Research  and 
Development  Center  (FFRDC)  to  facilitate  public-private 
collaboration  for  accelerating  the  widespread  adoption  of 
integrated  cybersecurity  tools  and  technologies.  This  is  the 
second  of  three  notices  that  must  be  published  over  a  90-day 
period  to  advise  the  public  of  the  agency’s  intention  to  sponsor 
an  FFRDC. 

Governor  McDonnell  Announces  Creation  of 
MACFf37,  America’s  Premier  Market-Centric 

Cyber  Security  Accelerator 

Virginia  Secretary  of 
Commerce  and  Trade 

April  1  1,  2013 

N/A 

Virginia  Governor  Bob  McDonnell  announced  the  creation  of 
MACFH37,  a  cyber  security  accelerator  to  be  located  at  the 

Center  for  Innovative  Technology.  Initially  funded  by  the 
Commonwealth  of  Virginia,  the  accelerator  will  leverage  private 
investments  to  launch  new,  high  growth  cyber  technology 
companies  in  Virginia. 

Open  Trusted  Technology  Provider  Standard  (O- 
TTPS)™,  Version  1.0:  Mitigating  Maliciously 

Tainted  and  Counterfeit  Products 

The  Open  Group 

April  2013 

44 

Specifically  intended  to  prevent  maliciously  tainted  and 
counterfeit  products  from  entering  the  supply  chain,  this  first 
release  of  the  O-TTPS  codifies  best  practices  across  the  entire 
COTS  ICT  product  lifecycle,  including  the  design,  sourcing, 
build,  fulfillment,  distribution,  sustainment,  and  disposal  phases. 

The  O-TTPS  will  enable  organizations  to  implement  best 
practice  requirements  and  allow  all  providers,  component 
suppliers,  and  integrators  to  obtain  Trusted  Technology 

Provider  status.  (Registration  required). 

The  International  Cyber-Security  Ecosystem  (video 
lecture) 

Anthony  M.  Rutkowski, 
Distinguished  Senior 
Research  Fellow  at  the 
Georgia  Institute  of 
Technology,  Nunn 

School  Center  for 
International  Strategy 
Technology  and  Policy 
(CISTP) 

November  6, 
2012 

N/A 

Overview  of  the  various  forums/communities  and 
methodologies  that  comprise  the  security  assurance 
ecosystem — often  also  referred  to  as  Information  Assurance. 

20  Critical  Security  Controls  for  Effective  Cyber 
Defense 

Center  for  Strategic  & 
International  Studies 

November 

2012 

89 

The  Top  20  security  controls  were  agreed  upon  by  a 
consortium.  Members  of  the  Consortium  include  NSA,  US 

CERT,  DOD  JTF-GNO,  the  Department  of  Energy  Nuclear 
Laboratories,  Department  of  State,  DOD  Cyber  Crime  Center 
plus  commercial  forensics  experts  in  the  banking  and  critical 
infrastructure  communities. 

SBIR  Phase  II:  Information  Security  Risk  Taking 

National  Science 
Foundation  (NSF) 

January  17, 

2012 

N/A 

The  NSF  is  funding  research  on  giving  organizations  information- 
security  risk  ratings,  similar  to  credit  ratings  for  individuals. 
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Source 

Date 

Pages 

Notes 

Anomaly  Detection  at  Multiple  Scales  (ADAMS) 

Defense  Advanced 
Research  Projects 

Agency  (DARPA) 

November  9, 

201  1 

74 

The  report  describes  a  system  for  preventing  leaks  by  seeding 
believable  disinformation  in  military  information  systems  to  help 
identify  individuals  attempting  to  access  and  disseminate 
classified  information. 

At  the  Forefront  of  Cyber  Security  Research 

NSF 

August  5,  20 1  1 

N/A 

TRUST  is  a  university  and  industry  consortium  that  examines 
cyber  security  issues  related  to  health  care,  national 
infrastructures,  law  and  other  issues  facing  the  general  public. 

Designing  A  Digital  Future:  Federally  Funded 
Research  And  Development  In  Networking  And 
Information  Technology 

White  House 

December 

2010 

148 

The  President’s  Council  of  Advisors  on  Science  and  Technology 
(PCAST)  has  made  several  recommendations  in  a  report  about 
the  state  of  the  government’s  Networking  and  Information 
Technology  Research  and  Development  (NITRD)  Program. 

Partnership  for  Cybersecurity  Innovation 

White  House  Office  of 
Science  and  Technology 
Policy 

December  6, 
2010 

10 

The  Obama  Administration  released  a  Memorandum  of 
Understanding  (below)  signed  by  the  National  Institute  of 
Standards  and  Technology  (NIST)  of  the  Department  of 
Commerce,  the  Science  and  Technology  Directorate  of  the 
Department  of  Homeland  Security  (DHS/S&T),  and  the  Financial 
Services  Sector  Coordinating  Council  (FSSCC).  The  goal  of  the 
agreement  is  to  speed  the  commercialization  of  cybersecurity 
research  innovations  that  support  our  nation’s  critical 
infrastructures. 

Memorandum  of  Understanding  (MOU) 

NIST,  DHS,  and 

Financial  Services 

Sector  Coordinating 
Council 

December  2, 
2010 

4 

The  document  formalizes  the  intent  of  the  parties  to  expedite 
the  coordinated  development  and  availability  of  collaborative 
research,  development,  and  testing  activities  for  cybersecurity 
technologies  and  processes  based  upon  the  financial  services 
sector’s  needs. 

Science  of  Cyber-Security 

Mitre  Corp  (JASON 
Program  Office) 

November 

2010 

86 

JASON  was  requested  by  DOD  to  examine  the  theory  and 
practice  of  cyber-security,  and  evaluate  whether  there  are 
underlying  fundamental  principles  that  would  make  it  possible  to 
adopt  a  more  scientific  approach,  identify  what  is  needed  in 
creating  a  science  of  cyber-security,  and  recommend  specific 
ways  in  which  scientific  methods  can  be  applied. 

American  Security  Challenge:  Moving  Innovation  to 
Market 

National  Security 

Initiative 

October  18, 

2010 

N/A 

The  objective  of  the  Challenge  is  to  increase  the  visibility  of 
innovative  technology  and  help  the  commercialization  process 
so  that  such  technology  can  reach  either  the  public  or 
commercial  marketplace  faster  to  protect  our  citizens  and 
critical  assets. 

Note:  Highlights  compiled  by  CRS  from  the  reports. 
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Cybersecurity:  Authoritative  Reports  and  Resources,  by  Topic 


Related  Resources:  Other  Websites 

This  section  contains  other  cybersecurity  resources,  including  U.S.  government,  international, 
news  sources,  and  other  associations  and  institutions. 


Congressional  Research  Service 


78 


Table  1 5.  Related  Resources:  Congressional/Government 


Name 

Source 

Notes 

Integrated  Intelligence  Center  (1 1C) 

Center  for  Internet  Security 

Serves  as  a  resource  for  state,  local,  tribal,  and  territorial  government 
partners  to  engage  in  a  collaborative  information  sharing  and  analysis 
environment  on  cybersecurity  issues.  Through  this  initiative  the  IIC 
provides  fusion  centers,  homeland  security  advisors,  and  law 
enforcement  entities  with  access  to  a  broad  range  of  cybersecurity 
products,  reflecting  input  from  many  sources. 

Computer  Security  Resource  Center 

National  Institute  of  Standards  and 

Technology  (NIST) 

Links  to  NIST  resources,  publications,  and  computer  security  groups. 

Congressional  Cybersecurity  Caucus 

Led  by  Representatives  Jim  Langevin  and 

Mike  McCaul. 

Provides  statistics,  news  on  congressional  cyberspace  actions,  and  links 
to  other  information  websites. 

Cybersecurity 

White  House  National  Security  Council 

Links  to  White  House  policy  statements,  key  documents,  videos,  and 
blog  posts. 

Cybersecurity 

National  Telecommunications  &  Information 
Administration  (U.S.  Department  of 
Commerce) 

The  Department  of  Commerce’s  Internet  Policy  Task  Force  is 
conducting  a  comprehensive  review  of  the  nexus  between  cybersecurity 
challenges  in  the  commercial  sector  and  innovation  in  the  Internet 
economy. 

Cybersecurity  and  Information  System 
Trustworthiness 

National  Academy  of  Sciences,  Computer 
Science  and  Telecommunications  Board 

A  list  of  CSTB’s  independent  and  informed  reports  on  cybersecurity  and 
public  policy. 

President’s  National  Security 
Telecommunications  Advisory  Committee 
(NSTAC) 

U.S.  Department  of  Homeland  Security 

NSTAC’s  goal  is  to  develop  recommendations  to  the  President  to 
assure  vital  telecommunications  links  through  any  event  or  crisis  and  to 
help  the  U.S.  government  maintain  a  reliable,  secure,  and  resilient 
national  communications  posture. 
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Name 

Source 

Notes 

Office  of  Cybersecurity  and  Communications 
(CS&C) 

U.S.  Department  of  Homeland  Security 

CS&C  works  to  prevent  or  minimize  disruptions  to  critical  information 
infrastructure  in  order  to  protect  the  public,  the  economy,  and 
government  services.  CS&C  leads  efforts  to  protect  the  federal  “.gov” 
domain  of  civilian  government  networks  and  to  collaborate  with  the 
private  sector — the  “.com”  domain — to  increase  the  security  of  critical 
networks 

Cyber  Domain  Security  and  Operations 

U.S.  Department  of  Defense 

Links  to  press  releases,  fact  sheets,  speeches,  announcements,  and 
videos. 

U.S.  Cyber-Consequences  Unit 

U.S.  Cyber-Consequences  Unit  (U.S.-CCU) 

U.S.-CCU,  a  nonprofit  50 1  c(3)  research  institute,  provides  assessments 
of  the  strategic  and  economic  consequences  of  possible  cyber-attacks 
and  cyber-assisted  physical  attacks.  It  also  investigates  the  likelihood  of 
such  attacks  and  examines  the  cost-effectiveness  of  possible  counter¬ 
measures. 

Note:  Highlights  compiled  by  CRS  from  the  reports. 
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Table  16.  Related  Resources:  International  Organizations 


Name 

Source 

Notes 

Center  for  Internet  Security  (Australia) 

Australian  Communications  and  Media 
Authority 

The  Australian  Internet  Security  Initiative  (AISI)  is  an  antibotnet 
initiative  that  collects  data  on  botnets  in  collaboration  with 

Internet  Service  Providers  (ISPs),  and  two  industry  codes  of 
practice. 

Cybercrime 

Council  of  Europe 

Links  to  the  Convention  on  Cybercrime  treaty,  standards,  news, 
and  related  information. 

Cybersecurity  Gateway 

International  Telecommunications 

Union  (ITU) 

ITU’s  Cybersecurity  Gateway  aims  to  be  a  collaborative  platform, 
providing  and  sharing  information  between  partners  in  civil  society, 
private  sector,  governmental  and  international  organizations 
working  in  different  work  areas  of  cybersecurity 

Cybercrime  Legislation  -  Country  Profiles 

Council  of  Europe 

These  profiles  have  been  prepared  within  the  framework  of  the 
Council  of  Europe’s  Project  on  Cybercrime  in  view  of  sharing 
information  on  cybercrime  legislation  and  assessing  the  current 
state  of  implementation  of  the  Convention  on  Cybercrime  under 
national  legislation. 

ENISA:  Securing  Europe’s  Information  Society 

European  Network  and  Information 
Security  Agency  (ENISA) 

ENISA  inform  businesses  and  citizens  in  the  European  Union  on 
cybersecurity  threats,  vulnerabilities,  and  attacks.  (Requires  free 
registration  to  access.) 

International  Cyber  Security  Protection  Alliance  (ICSPA) 

International  Cyber  Security 

Protection  Alliance  (ICSPA) 

A  global  not-for-profit  organization  that  aims  to  channel  funding, 
expertise,  and  help  directly  to  law  enforcement  cyber-crime  units 
around  the  world. 

NATO  Cooperative  Cyber  Defence  Centre  of  Excellence 
(CCD  COE)  (Tallin,  Estonia) 

North  Atlantic  Treaty  Organization 
(NATO) 

The  Centre  is  an  international  effort  that  currently  includes 

Estonia,  Latvia,  Lithuania,  Germany,  Hungary,  Italy,  the  Slovak 
Republic,  and  Spain  as  sponsoring  nations,  to  enhance  NATO’s 
cyber-defence  capability. 

Note:  Highlights  compiled  by  CRS  from  the  reports. 
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Table  1 7.  Related  Resources:  News 


Name  Source 


Computer  Security  (Cybersecurity) 

New  York  Times 

Cybersecurity 

NextGov.com 

Cyberwarfare  and  Cybersecurity 

Benton  Foundation 

Homeland  Security 

Congressional  Quarterly  (CQ) 

Cybersecurity 

Homeland  Security  News  Wire 

Table  18.  Related  Resources:  Other  Associations  and  Institutions 


Name 

Notes 

Council  on  Cybersecurity 

The  Council,  based  in  the  Washington,  DC,  area,  is  the  successor  organization  to  the  National  Board  of 

Information  Security  Examiners  (NBISE),  founded  in  the  United  States  in  2010  to  identify  and  strengthen  the  skills 
needed  to  improve  the  performance  of  the  cybersecurity  workforce.  The  Council  will  also  be  home  to  the  U.S. 

Cyber  Challenge,  (formerly  a  program  of  NBISE),  that  works  with  the  cybersecurity  community  to  bring  accessible, 
compelling  programs  that  motivate  students  and  professionals  to  pursue  education,  development,  and  career 
opportunities  in  cybersecurity. 

Cyber  Aces  Foundation 

Offers  challenging  and  realistic  cybersecurity  competitions,  training  camps,  and  educational  initiatives  through 
which  high  school,  college  students,  and  young  professionals  develop  the  practical  skills  needed  to  excel  as 
cybersecurity  practitioners. 

Cybersecurity  from  the  Center  for  Strategic  & 
International  Studies  (CSIS) 

Links  to  experts,  programs,  publications,  and  multimedia.  CSIS  is  a  bipartisan,  nonprofit  organization  whose 
affiliated  scholars  conduct  research  and  analysis  and  develop  policy  initiatives  that  look  to  the  future  and  anticipate 
change. 

Cyberconflict  and  Cybersecurity  Initiative  from  the 
Council  on  Foreign  Relations 

Focuses  on  the  relationship  between  cyberwar  and  the  existing  laws  of  war  and  conflict;  how  the  United  States 
should  engage  other  states  and  international  actors  in  pursuit  of  its  interests  in  cyberspace;  how  the  promotion  of 
the  free  flow  of  information  interacts  with  the  pursuit  of  cybersecurity;  and  the  private  sector’s  role  in  defense, 
deterrence,  and  resilience. 
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Name 


Notes 


Cyber  Corps:  Scholarship  For  Service  (SFS) 

Scholarship  For  Service  (SFS)  is  designed  to  increase  and  strengthen  the  cadre  of  federal  information  assurance 
professionals  that  protect  the  government’s  critical  information  infrastructure.  This  program  provides  scholarships 
that  fully  fund  the  typical  costs  that  students  pay  for  books,  tuition,  and  room  and  board  while  attending  an 
approved  institution  of  higher  learning. 

Institute  for  Information  Infrastructure  Protection  (I3P) 

I3P  is  a  consortium  of  leading  universities,  national  laboratories  and  nonprofit  institutions.  I3P  assembles  multi¬ 
disciplinary  and  multi-institutional  research  teams  able  to  bring  in-depth  analysis  to  complex  and  pressing  problems. 
Research  outcomes  are  shared  at  l3P-sponsored  workshops,  professional  conferences  and  in  peer-reviewed 
journals,  as  well  as  via  technology  transfer  to  end-users. 

Internet  Security  Alliance  (ISA) 

ISAalliance  is  a  nonprofit  collaboration  between  the  Electronic  Industries  Alliance  (EIA),  a  federation  of  trade 
associations,  and  Carnegie  Mellon  University’s  CyLab. 

National  Association  of  State  Chief  Information  Officers 
(NASCIO) 

NASCIO  provides  state  CIOs  and  state  members  with  products  and  services  designed  to  support  the  challenging 
role  of  the  state  CIO,  stimulate  the  exchange  of  information  and  promote  the  adoption  of  IT  best  practices  and 
innovations.  The  Resource  Guide  provides  examples  of  state  awareness  programs  and  initiatives. 

National  Initiative  for  Cybersecurity  Education  (NICE) 

The  goal  of  NICE  is  to  establish  an  operational,  sustainable  and  continually  improving  cybersecurity  education 
program  for  the  nation  to  use  sound  cyber  practices  that  will  enhance  the  nation’s  security.  NIST  is  leading  the 

NICE  initiative,  including  more  than  20  federal  departments  and  agencies,  to  ensure  coordination,  cooperation, 
focus,  public  engagement,  technology  transfer,  and  sustainability. 

National  Security  Cyberspace  Institute  (NSCI) 

NSCI  provides  education,  research  and  analysis  services  to  government,  industry,  and  academic  clients  aiming  to 
increase  cyberspace  awareness,  interest,  knowledge,  and/or  capabilities. 

U.S.  Cyber  Challenge  (USCC) 

USCC’s  goal  is  to  find  10,000  of  America's  best  and  brightest  to  fill  the  ranks  of  cybersecurity  professionals  where 
their  skills  can  be  of  the  greatest  value  to  the  nation. 

Source:  Highlights  compiled  by  CRS  from  the  reports  of  related  associations  and  institutions. 
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Author  Contact  Information 


Rita  Tehan 

Information  Research  Specialist 
rtehan@crs.loc.gov,  7-6739 


Key  Policy  Staff 

The  following  table  provides  names  and  contact  information  for  CRS  experts  on  policy  issues  related  to 
cybersecurity  bills  currently  being  debated  in  the  1 13th  Congress. 


Legislative  Issues 

Name/Title 

Phone 

E-mail 

Legislation  in  the  1 13th  Congress 

Eric  A.  Fischer 

7-7071 

efischer@crs.loc.gov 

Critical  infrastructure  protection 

John  D.  Moteff 

7-1435 

jmoteff@crs.loc.gov 

Chemical  industry 

Dana  Shea 

7-6844 

dshea@crs.loc.gov 

Defense  industrial  base 

Catherine  A.  Theohary 

7-0844 

ctheohary@crs.loc.gov 

Electricity  grid 

Richard  J.  Campbell 

7-7905 

rcampbell@crs.loc.gov 

Financial  institutions 

N.  Eric  Weiss 

7-6209 

eweiss@crs.loc.gov 

Industrial  control  systems 

Dana  Shea 

7-6844 

dshea@crs.loc.gov 

Cybercrime 

Federal  laws 

Charles  Doyle 

7-6968 

cdoyle@crs.loc.gov 

Law  enforcement 

Kristin  M.  Finklea 

7-6259 

kfinklea@crs.loc.gov 

Cybersecurity  workforce 

Wendy  Ginsberg 

7-3933 

wginsberg@crs.loc.gov 

Cyberterrorism 

Catherine  A.  Theohary 

7-0844 

ctheohary@crs.loc.gov 

Cyberwar 

Catherine  A.  Theohary 

7-0844 

ctheohary@crs.loc.gov 

Data  breach  notification 

Gina  Stevens 

7-258 1 

gstevens@crs.loc.gov 

Economic  issues 

N.  Eric  Weiss 

7-6209 

eweiss@crs.loc.gov 

Espionage 

Advanced  persistent  threat 

Catherine  A.  Theohary 

7-0844 

ctheohary@crs.loc.gov 

Economic  and  industrial 

Kristin  M.  Finklea 

7-6259 

kfinklea@crs.loc.gov 

Legal  issues 

Brian  T.  Yeh 

7-5182 

byeh@crs.loc.gov 

State-sponsored 

Catherine  A.  Theohary 

7-0844 

ctheohary@crs.loc.gov 

Federal  agency  roles 

Eric  A.  Fischer 

7-7071 

efischer@crs.loc.gov 

Chief  Information  Officers  (CIOs) 

Patricia  Maloney  Figliola 

7-2508 

pfigliola@crs.loc.gov 

Commerce 

John  F.  Sargent,  Jr. 

7-9147 

jsargent@crs.loc.gov 

Defense  (DOD) 

Catherine  A.  Theohary 

7-0844 

ctheohary@crs.loc.gov 

Executive  Office  of  the  President  (EOP) 

John  D.  Moteff 

7-1435 

jmoteff@crs.loc.gov 

Homeland  Security  (DHS) 

John  D.  Moteff 

7-1435 

jmoteff@crs.loc.gov 

Congressional  Research  Service 
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Legislative  Issues 

Name/Title 

Phone 

E-mail 

Intelligence  Community  (1C) 

John  Rollins 

7-5529 

jrollins@crs.loc.gov 

Justice  (DOJ) 

Kristin  M.  Finklea 

7-6259 

kfinklea@crs.loc.gov 

National  Security  Agency  (NSA) 

Catherine  A.  Theohary 

7-0844 

ctheohary@crs.loc.gov 

Science  agencies  (NIST,  NSF,  OSTP) 

Eric  A.  Fischer 

7-7071 

efischer@crs.loc.gov 

Treasury  and  financial  agencies 

Rena  S.  Miller 

7-0826 

rsmiller@crs.loc.gov 

Federal  Information  Security 
Management  Act  (FISMA) 

John  D.  Moteff 

7-1435 

jmoteff@crs.loc.gov 

Federal  Internet  monitoring 

Richard  M.  Thompson  II 

7-8449 

rthompson@crs.loc.gov 

Hacktivism 

Kristin  M.  Finklea 

7-6259 

kfinklea@crs.loc.gov 

Information  sharing 

Eric  A.  Fischer 

7-7071 

efischer@crs.loc.gov 

Antitrust  laws 

Kathleen  Ann  Ruane 

7-9135 

kruane@crs.loc.gov 

Civil  liability 

Edward  C.  Liu 

7-9166 

eliu@crs.loc.gov 

Classified  information 

John  Rollins 

7-5529 

jrollins@crs.loc.gov 

Freedom  of  Information  Act  (FOIA) 

Gina  Stevens 

7-2581 

gstevens@crs.loc.gov 

Privacy  and  civil  liberties 

Gina  Stevens 

7-2581 

gstevens@crs.loc.gov 

International  cooperation 

Defense  and  diplomatic 

Catherine  A.  Theohary 

7-0844 

ctheohary@crs.loc.gov 

Law  enforcement 

Kristin  M.  Finklea 

7-6259 

kfinklea@crs.loc.gov 

National  strategy  and  policy 

Eric  A.  Fischer 

7-7071 

efischer@crs.loc.gov 

National  security 

John  Rollins 

7-5529 

jrollins@crs.loc.gov 

Public/private  partnerships 

Eric  A.  Fischer 

7-7071 

efischer@crs.loc.gov 

Supply  chain 

Eric  A.  Fischer 

7-7071 

efischer@crs.loc.gov 

Technological  issues 

Eric  A.  Fischer 

7-7071 

efischer@crs.loc.gov 

Botnets 

Eric  A.  Fischer 

7-7071 

efischer@crs.loc.gov 

Cloud  computing 

Patricia  Maloney  Figliola 

7-2508 

pfigliola@crs.loc.gov 

Mobile  devices 

Patricia  Maloney  Figliola 

7-2508 

pfigliola@crs.loc.gov 

Research  and  development  (R&D) 

Patricia  Maloney  Figliola 

7-2508 

pfigliola@crs.loc.gov 
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